From 8b09ccc321271d80f75ee1af898b8239927377a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:03 +0000
Subject: [PATCH 001/375] Exported file:
./.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json.json
---
..._c4780b67-8059-45a5-8dc8-0301570477c0.json | 376 ++++++++++++++++++
1 file changed, 376 insertions(+)
create mode 100644 .sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
diff --git a/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
new file mode 100644
index 00000000..e2d864b0
--- /dev/null
+++ b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
@@ -0,0 +1,376 @@
+{
+ "64ce2f23-eab3-4e96-899a-bd2403d21a86": "\"a7004ad4-0000-0800-0000-63d45e2f0000\"",
+ "c48bc19c-dba4-4da3-b215-c9086150d26f": "\"a70052d4-0000-0800-0000-63d45e300000\"",
+ "c2cab3a7-b80c-4b53-8126-9affe3ef96d4": "\"35002d68-0000-0800-0000-63f5638f0000\"",
+ "6a14a7a3-8278-47a8-b17a-2f9f1571362c": "\"3500554e-0000-0800-0000-63f55b050000\"",
+ "835a2032-8b67-4e89-a5c6-2d3c04526a70": "\"35007b4c-0000-0800-0000-63f557450000\"",
+ "bbe16dbb-c5b1-4796-a640-23be2e6e1e6f": "\"35007e4c-0000-0800-0000-63f557590000\"",
+ "29579f11-7599-48db-9ded-b81730a99f26": "\"3500844c-0000-0800-0000-63f5576e0000\"",
+ "9f7a0194-705a-45f9-a54d-a1a1d29354e0": "\"3500a24c-0000-0800-0000-63f557a90000\"",
+ "1dbb9018-2cb3-4818-87e0-8a4a5a1980dc": "\"3500ab4c-0000-0800-0000-63f557c40000\"",
+ "4d197e7a-078d-4401-9359-9c84a2335885": "\"3500b14c-0000-0800-0000-63f557d90000\"",
+ "118cc3d5-6ab5-493a-a0a9-793c9dd09875": "\"250037d3-0000-0800-0000-63ec4af90000\"",
+ "84af311a-0ca0-4e6e-9626-65cbcd255ceb": "\"3500b54c-0000-0800-0000-63f557f20000\"",
+ "fa3714b9-e6fa-4839-92cf-c7a3329e0edb": "\"3500ce4c-0000-0800-0000-63f558410000\"",
+ "2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd": "\"3500d34c-0000-0800-0000-63f558540000\"",
+ "3bef0ebd-28b7-465d-9f37-f2e69d390dbc": "\"3500ed4c-0000-0800-0000-63f558a60000\"",
+ "b129d496-e02c-479f-a5c7-16cc71ef63ad": "\"3500404d-0000-0800-0000-63f558bc0000\"",
+ "62e59eb2-2ac3-4a04-b73e-9aaea7a00c90": "\"35009f4d-0000-0800-0000-63f558d00000\"",
+ "8628a3cf-01b4-40ff-b06c-1ff6d5678535": "\"3500c34d-0000-0800-0000-63f558ea0000\"",
+ "2cca3599-da9a-4231-a9d2-b1f733201dbd": "\"3500c94d-0000-0800-0000-63f559010000\"",
+ "ee43dc07-3a2f-4c4d-b460-557389385470": "\"3500ce4d-0000-0800-0000-63f5591f0000\"",
+ "45f5eb6b-e221-44e3-928c-a372d76d1a6d": "\"3500d74d-0000-0800-0000-63f559350000\"",
+ "7b61a883-0219-4ac3-8058-29afe81b8e7e": "\"3500df4d-0000-0800-0000-63f559540000\"",
+ "5835ecfd-6b56-4f8e-9719-74d85e34c077": "\"3500e24d-0000-0800-0000-63f5596c0000\"",
+ "798fde9b-d47c-4158-99e0-326a7f4e29d6": "\"3500ea4d-0000-0800-0000-63f559830000\"",
+ "a4490aac-93b0-4262-b08d-fb4bc4e74dd6": "\"3500f44d-0000-0800-0000-63f559990000\"",
+ "fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246": "\"3500fa4d-0000-0800-0000-63f559c30000\"",
+ "5892dbb0-9d3b-485a-b4cf-147e30b22cbe": "\"3500fe4d-0000-0800-0000-63f559d40000\"",
+ "75e2a7e7-535e-47ca-9fea-d30a0f0f104d": "\"3500064e-0000-0800-0000-63f559ee0000\"",
+ "288cca7e-3f39-42fc-ada2-eca124936ec2": "\"35000b4e-0000-0800-0000-63f55a000000\"",
+ "769308db-305a-47ed-9837-bfb6bec71ea7": "\"35001f4e-0000-0800-0000-63f55a5c0000\"",
+ "24b268fb-0acf-4315-808e-f1e941506be3": "\"3500264e-0000-0800-0000-63f55a740000\"",
+ "10254512-df08-4fea-8619-c505e87d377b": "\"3500354e-0000-0800-0000-63f55a870000\"",
+ "aa392189-9ff4-40f3-af07-3c2e454d5b22": "\"3500384e-0000-0800-0000-63f55a9b0000\"",
+ "78389019-b3c8-476c-9867-dee37f00f6ea": "\"35003c4e-0000-0800-0000-63f55ab20000\"",
+ "c2397090-face-41f6-ae70-89fc66312292": "\"3500474e-0000-0800-0000-63f55ac90000\"",
+ "edb16bf3-eeca-4545-901f-6b4d79a41be9": "\"35004a4e-0000-0800-0000-63f55add0000\"",
+ "6d3d9221-367e-4954-836b-a53bfb08d042": "\"35004f4e-0000-0800-0000-63f55af20000\"",
+ "09171b34-9e5d-4554-8675-f564c77f739d": "\"3500584e-0000-0800-0000-63f55b170000\"",
+ "0993b38b-fb86-4dc8-8b3d-8531f0b2e12b": "\"3500654e-0000-0800-0000-63f55b300000\"",
+ "15ce6bf5-76f6-4160-a6ab-cae48ccd14c7": "\"3500804e-0000-0800-0000-63f55b440000\"",
+ "defe98a5-5be4-4a6c-9808-eef4c1946f37": "\"3500004f-0000-0800-0000-63f55b600000\"",
+ "ebbc52fe-8427-412b-98a7-6804d5506f7d": "\"35003a4f-0000-0800-0000-63f55b740000\"",
+ "44975607-3f23-4632-871e-b08b59ebd68c": "\"3500834f-0000-0800-0000-63f55b880000\"",
+ "74a06942-f4b8-440a-bcbb-829dc41948ba": "\"3500be4f-0000-0800-0000-63f55b9a0000\"",
+ "4e137990-3aad-4695-8ea5-eac1e16a9451": "\"35001150-0000-0800-0000-63f55bb00000\"",
+ "dea3bd60-9ee8-49fd-a859-3bab903451e5": "\"35005550-0000-0800-0000-63f55bc20000\"",
+ "0bffacb7-52da-463c-8ae4-62c09da8c510": "\"35009c50-0000-0800-0000-63f55bd70000\"",
+ "d6f670a3-6443-47c0-8c9e-387a1d0e58c0": "\"35000f51-0000-0800-0000-63f55bea0000\"",
+ "05c4ea76-9c7f-4865-824b-178cbb899a82": "\"35006a51-0000-0800-0000-63f55c030000\"",
+ "7bf49942-c5ad-448a-bf6b-893f39186ea2": "\"3500ef51-0000-0800-0000-63f55c200000\"",
+ "5410fda8-a757-41b6-97f1-79a08f07dd0f": "\"35004852-0000-0800-0000-63f55c330000\"",
+ "41f05d3b-cc19-40f4-942e-d6748668eb18": "\"35008b52-0000-0800-0000-63f55c460000\"",
+ "4f53eb74-71dc-4775-a62c-ff48580a8bb2": "\"3500cc52-0000-0800-0000-63f55c580000\"",
+ "4413d174-435c-48a7-8a3c-437db7ff3939": "\"35001753-0000-0800-0000-63f55c6d0000\"",
+ "ece1918c-59f2-43ec-841a-7ef0e99c3b7f": "\"35006a53-0000-0800-0000-63f55c800000\"",
+ "29e3406d-b57c-411b-8604-4b77ff01e36f": "\"3500c153-0000-0800-0000-63f55c920000\"",
+ "d06f4dc9-2343-4bd9-85a1-86436bcf45fb": "\"35001554-0000-0800-0000-63f55ca60000\"",
+ "094a8752-7d9e-4873-84ee-ff561e73b3c0": "\"35007854-0000-0800-0000-63f55cbd0000\"",
+ "afa9ee13-2d74-4ca6-bb7e-8193ba946d40": "\"35008954-0000-0800-0000-63f55cd40000\"",
+ "872545df-734f-481c-acd9-4a2d7af889e3": "\"35008f54-0000-0800-0000-63f55ce80000\"",
+ "6be5f005-18ec-4034-8f0d-13b8ce42b11a": "\"3500a054-0000-0800-0000-63f55cfb0000\"",
+ "7d5851b1-5d59-44da-9b51-5a0482707723": "\"3500a454-0000-0800-0000-63f55d0e0000\"",
+ "d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a": "\"3500a754-0000-0800-0000-63f55d2c0000\"",
+ "814a077a-8846-4195-af81-d17d1bbfd54d": "\"3500c354-0000-0800-0000-63f55d4a0000\"",
+ "2888ae98-ce2c-44e9-a841-001e775b0b7a": "\"3500ca54-0000-0800-0000-63f55d610000\"",
+ "a438db5b-f71f-4cb7-98ad-335e3b8ba533": "\"3500ce54-0000-0800-0000-63f55d730000\"",
+ "cda5807c-80cb-4159-adcb-884589deef20": "\"3500d654-0000-0800-0000-63f55d8f0000\"",
+ "4a9a7b49-4e79-4f64-b778-209a63227af1": "\"3500e154-0000-0800-0000-63f55da10000\"",
+ "56bd3d9c-25ae-42f7-80b5-b3be274f9971": "\"35000655-0000-0800-0000-63f55df70000\"",
+ "fc32fc57-e12b-4823-b40a-86ede70b5af7": "\"35001d55-0000-0800-0000-63f55e0d0000\"",
+ "1ffcf2eb-7b20-4385-add1-d47244784479": "\"35009c55-0000-0800-0000-63f55e200000\"",
+ "a095755b-fc1c-4311-a607-118eb9170048": "\"3500b056-0000-0800-0000-63f55e340000\"",
+ "9bcc4a9b-d85e-4927-a32e-b8284cfa5422": "\"3500ba57-0000-0800-0000-63f55e470000\"",
+ "aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4": "\"3500bc58-0000-0800-0000-63f55e5a0000\"",
+ "3df7345e-b037-4478-a753-dd23d194b187": "\"3500165a-0000-0800-0000-63f55e740000\"",
+ "8e494d49-35d6-4cea-b30d-29f22c179aab": "\"35008a5b-0000-0800-0000-63f55e8c0000\"",
+ "f6dda353-e32a-41e2-b892-87012ab48a79": "\"35002d5d-0000-0800-0000-63f55eaa0000\"",
+ "ece332c1-3f76-49d9-92fb-c94bc4af948d": "\"3500755e-0000-0800-0000-63f55ebf0000\"",
+ "b40835ac-6aa1-44c8-94ee-9634550cbf43": "\"35005a60-0000-0800-0000-63f55eda0000\"",
+ "af215a8a-6d4d-4018-9e57-232303ee41d6": "\"3500c561-0000-0800-0000-63f55eed0000\"",
+ "ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e": "\"3500df63-0000-0800-0000-63f55f060000\"",
+ "eef3a7d9-3be0-461b-9136-dfd2485f0fe5": "\"3500b064-0000-0800-0000-63f55f1b0000\"",
+ "4715c9ad-d4c0-4eed-b1a7-fa0a808deff4": "\"3500b664-0000-0800-0000-63f55f360000\"",
+ "6769d928-39db-442b-8af3-4477e02f38fc": "\"3500bb64-0000-0800-0000-63f55f490000\"",
+ "fd78be72-fc73-4cb5-aef3-b9f61b35c1be": "\"3500bf64-0000-0800-0000-63f55f5e0000\"",
+ "08df1b8f-e53a-4f2e-9bd3-b3908f512f46": "\"3500c264-0000-0800-0000-63f55f730000\"",
+ "9aa0f3fe-1c85-48de-b37f-63b61b97b3d6": "\"3500c964-0000-0800-0000-63f55f8a0000\"",
+ "6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974": "\"3500cc64-0000-0800-0000-63f55f9f0000\"",
+ "33e7e266-a87e-454d-8e09-6d3e131d75ee": "\"3500d264-0000-0800-0000-63f55fb80000\"",
+ "881f8a7b-1178-4f35-9b02-7fc5414ba7f8": "\"3500df64-0000-0800-0000-63f55fcd0000\"",
+ "79061028-980a-4760-881b-52e79c1015c6": "\"35007565-0000-0800-0000-63f55fdf0000\"",
+ "b674088a-825a-4b49-ad10-7ffa5d483059": "\"35006b66-0000-0800-0000-63f55ff50000\"",
+ "f740a0e2-386b-4470-8b13-284d2ee5dce5": "\"35000467-0000-0800-0000-63f560170000\"",
+ "fd536808-fae9-4fc6-b046-9cd28b7e9e19": "\"35000867-0000-0800-0000-63f5602a0000\"",
+ "3e4f6960-6e74-4b97-960b-6eca2383de68": "\"35001f67-0000-0800-0000-63f560440000\"",
+ "41da3e01-b685-4352-bded-ae2646b20c5c": "\"35002667-0000-0800-0000-63f560680000\"",
+ "8e545f53-bfa1-47e0-997d-d7f67d02eda4": "\"35002b67-0000-0800-0000-63f5607d0000\"",
+ "bde332b1-a602-44eb-b834-99dc1e0b42d9": "\"35002e67-0000-0800-0000-63f5608e0000\"",
+ "bc94a765-bab8-4692-9cec-86978582f1b8": "\"35003467-0000-0800-0000-63f560a40000\"",
+ "7791c2cc-28ac-4387-87e7-9ddda54c2543": "\"35003767-0000-0800-0000-63f560b70000\"",
+ "99d7dd4b-3f78-4f82-b514-82a22fe2eb3a": "\"35003a67-0000-0800-0000-63f560cd0000\"",
+ "3c22319a-c4d1-411e-8764-72a96333f21e": "\"35004b67-0000-0800-0000-63f561270000\"",
+ "0ae05016-a937-41c9-92ab-9c347b0ea127": "\"35005167-0000-0800-0000-63f561410000\"",
+ "534eed88-50e6-4584-a8f0-c245d16537e9": "\"35005767-0000-0800-0000-63f561530000\"",
+ "f440c27a-949f-44a8-8617-6533617ce4c6": "\"35006367-0000-0800-0000-63f561660000\"",
+ "f41c2cf0-14ea-42fb-a07e-c7514a198d17": "\"35006a67-0000-0800-0000-63f5617c0000\"",
+ "8931ab6f-b308-4242-9876-014014c6b8ff": "\"35007167-0000-0800-0000-63f561950000\"",
+ "a21f9398-0e6d-4d8a-a9cf-4becee5853b0": "\"35007667-0000-0800-0000-63f561ad0000\"",
+ "b0a0ec4e-ca45-42df-aaca-8487d921115d": "\"35007967-0000-0800-0000-63f561c20000\"",
+ "4e451694-0fbc-4df8-83ca-1cbc82d3e019": "\"35007e67-0000-0800-0000-63f561da0000\"",
+ "511e0713-a13f-4f83-8021-b8a22bb9bcc4": "\"35008267-0000-0800-0000-63f561ed0000\"",
+ "176ecb24-2007-4d65-a832-af6efe88afb5": "\"35008667-0000-0800-0000-63f562010000\"",
+ "a37d6c4a-630f-40f1-8ed7-85033c97b226": "\"35008a67-0000-0800-0000-63f562160000\"",
+ "3e0c16d9-b987-4982-8917-261b9b619c83": "\"35008f67-0000-0800-0000-63f562280000\"",
+ "a48aee53-b375-4d5c-b0e2-9d534f99bed8": "\"35009267-0000-0800-0000-63f5623a0000\"",
+ "a52b38c6-0473-4282-b1ac-a34022f46447": "\"35009867-0000-0800-0000-63f562520000\"",
+ "b52679aa-c825-444f-8dc3-2e679658b552": "\"35009b67-0000-0800-0000-63f5626c0000\"",
+ "d12000f0-f1b6-4344-bb3c-a8988e77eb75": "\"35009f67-0000-0800-0000-63f5627f0000\"",
+ "75cbd5b7-4158-4e21-8ce3-8197e05caa7f": "\"3500ab67-0000-0800-0000-63f562940000\"",
+ "675ea0df-9fff-4dc5-b0ee-521faf737c55": "\"3500b367-0000-0800-0000-63f562a80000\"",
+ "215089a8-4173-47cc-801b-56f449b9e978": "\"3500b667-0000-0800-0000-63f562bd0000\"",
+ "efea115d-c997-4be7-adcb-95afd6643a0a": "\"3500bd67-0000-0800-0000-63f562da0000\"",
+ "da88214f-a4b3-48fc-b8c3-fa71bb3ef678": "\"3500c267-0000-0800-0000-63f562f10000\"",
+ "149a0db6-2ad7-4e69-bf36-0c4f62873101": "\"35000568-0000-0800-0000-63f5633f0000\"",
+ "789aca0f-8766-49a2-84b7-1d68e2db7652": "\"35000b68-0000-0800-0000-63f563550000\"",
+ "481c342f-c33a-455b-82d5-2205b068f5d0": "\"35002668-0000-0800-0000-63f563660000\"",
+ "204119a5-daf5-4bfb-a565-a6bbf5dec2ad": "\"35002a68-0000-0800-0000-63f563780000\"",
+ "eb68e7af-1e04-45c3-985f-76e076002f57": "\"35004a68-0000-0800-0000-63f563aa0000\"",
+ "b42fd648-56d8-405b-8303-ecbf32e7f3be": "\"35005468-0000-0800-0000-63f563bd0000\"",
+ "f25caf39-8a25-48d1-b564-3098bfb1a4b3": "\"35006b68-0000-0800-0000-63f563d10000\"",
+ "d7b90ebc-9243-4837-bc04-15808d6fffdf": "\"35007968-0000-0800-0000-63f563e50000\"",
+ "e6926bd2-1c73-494e-b193-b5853be6b838": "\"35007c68-0000-0800-0000-63f563f80000\"",
+ "5178c35e-cf89-4442-b41b-ff963659f9a5": "\"35008168-0000-0800-0000-63f564120000\"",
+ "25bd255a-bf5e-4c83-b39f-fb8570442411": "\"35008468-0000-0800-0000-63f564250000\"",
+ "b7d192e4-4786-463b-acef-ae7ea5569a06": "\"35008968-0000-0800-0000-63f564370000\"",
+ "a6e2aa27-43bc-45b2-b96d-48b735364839": "\"35008d68-0000-0800-0000-63f564550000\"",
+ "eb2153ae-e569-42cf-8467-40f05affa51f": "\"35009868-0000-0800-0000-63f564680000\"",
+ "f801914e-c351-43d7-b2a7-ba58f064fda6": "\"3500a268-0000-0800-0000-63f5647b0000\"",
+ "c655ec79-ccbb-4940-b53f-a1f0a6583a53": "\"3500ac68-0000-0800-0000-63f564920000\"",
+ "ba38e02e-2c7c-4744-9292-8df5f3fc28ac": "\"3500b068-0000-0800-0000-63f564aa0000\"",
+ "a649754e-0850-48be-af9d-9ae66e282259": "\"3500b368-0000-0800-0000-63f564bd0000\"",
+ "048acbb1-a65f-405e-b6bd-da47b59dffa7": "\"3500b768-0000-0800-0000-63f564d10000\"",
+ "432364d6-323c-41fb-a646-12ae79e3d321": "\"3500c268-0000-0800-0000-63f564ea0000\"",
+ "1b1e0484-a8d7-4116-bbc0-294d9d45aa1d": "\"3500c968-0000-0800-0000-63f564fe0000\"",
+ "a203a1c1-5360-4d2b-a61e-7e02066ef891": "\"3500d968-0000-0800-0000-63f565170000\"",
+ "e9f798a0-8821-4cde-9667-21d84cc45915": "\"3500df68-0000-0800-0000-63f5652c0000\"",
+ "58279f6d-5629-40b2-852b-66c575dbb0ca": "\"3500e368-0000-0800-0000-63f565480000\"",
+ "689e109d-46e0-4f54-b0b4-1377167cd660": "\"3500ff68-0000-0800-0000-63f5655e0000\"",
+ "f3f94d19-f440-483e-b11a-231f93731fe8": "\"35000469-0000-0800-0000-63f565730000\"",
+ "f9862418-b01a-40d9-84e1-bece0e2e89bb": "\"35000a69-0000-0800-0000-63f565850000\"",
+ "bf490122-cedd-48e7-ba93-246d9ba9bfae": "\"35000f69-0000-0800-0000-63f5659c0000\"",
+ "9aab9ad2-d911-4d72-95ba-0fa53d80af93": "\"35001569-0000-0800-0000-63f565af0000\"",
+ "338cfd75-5f86-4e98-91a0-87733bd4698e": "\"35001a69-0000-0800-0000-63f565c30000\"",
+ "9970db1b-bed7-4ca6-a5ea-effa3aac7b05": "\"35001f69-0000-0800-0000-63f565da0000\"",
+ "c6b7994e-ae58-499c-bdac-a7035e8858de": "\"35002269-0000-0800-0000-63f565ec0000\"",
+ "59b0b0bc-b313-42b4-a3d9-7c5dc383b448": "\"35002669-0000-0800-0000-63f565ff0000\"",
+ "36af90d3-daf0-4785-a195-afa11219595f": "\"35002c69-0000-0800-0000-63f566130000\"",
+ "c4f34b46-8c20-46f0-b790-23d2bd555b6a": "\"35004769-0000-0800-0000-63f5665f0000\"",
+ "17cf26a4-edee-458d-a467-5933e8c1a1aa": "\"35004f69-0000-0800-0000-63f566830000\"",
+ "6b67df71-a90e-424c-8725-e7f9574d716f": "\"35005369-0000-0800-0000-63f566990000\"",
+ "68b67702-32ef-41ac-a8b2-f793d9689274": "\"35006969-0000-0800-0000-63f566af0000\"",
+ "a814a61a-672f-431f-9b2b-869e9bcaa534": "\"35007569-0000-0800-0000-63f566ca0000\"",
+ "f45e4a0d-2bbf-417c-97b7-643c7d4a0f93": "\"35007969-0000-0800-0000-63f566e30000\"",
+ "837ae291-8946-4918-a036-a22f4da70456": "\"35008169-0000-0800-0000-63f566fd0000\"",
+ "7fa27bab-66bb-4d8c-a80e-843f48e2a3b0": "\"35008469-0000-0800-0000-63f567140000\"",
+ "04adf3cf-371a-475f-9f03-f7991a6f3aa3": "\"3500a169-0000-0800-0000-63f567400000\"",
+ "16b51acb-d11f-4570-ad5b-2a33fb52e25f": "\"3500a969-0000-0800-0000-63f567590000\"",
+ "af5d8d85-ac5f-4ef7-bf10-7b43986ec91d": "\"3500ac69-0000-0800-0000-63f5676e0000\"",
+ "4ef59b89-0b97-4fca-99d0-6b3f861142cf": "\"3500c969-0000-0800-0000-63f567c00000\"",
+ "e001fc5b-00f7-47eb-ad14-4f68ac4b56fa": "\"3500cd69-0000-0800-0000-63f567d30000\"",
+ "8adb0ef2-02b3-4efd-81b3-20f79556d862": "\"3500d469-0000-0800-0000-63f567ed0000\"",
+ "a36172b6-4acf-4915-b0c5-ea8be7d05c86": "\"3500d769-0000-0800-0000-63f568010000\"",
+ "516cc0be-cc97-486b-928e-0e222352ba46": "\"3500dc69-0000-0800-0000-63f568130000\"",
+ "4515ed4c-edac-40b7-9ba0-1e96b7db4572": "\"3500e069-0000-0800-0000-63f568270000\"",
+ "4059cc8c-74ef-43f9-abed-bb067aa015ae": "\"3500e369-0000-0800-0000-63f568390000\"",
+ "8fb31b17-e360-4b59-a281-19c4fe483909": "\"3500e769-0000-0800-0000-63f5684c0000\"",
+ "edec3f95-3e38-4140-a078-96c6bf105d1a": "\"3500ee69-0000-0800-0000-63f568640000\"",
+ "4e52f7d5-cb46-4880-9b3a-279444078bcf": "\"3500016a-0000-0800-0000-63f568780000\"",
+ "dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46": "\"3500076a-0000-0800-0000-63f568940000\"",
+ "74893bd0-8ffa-4e9f-83a5-58ed055824bc": "\"35000d6a-0000-0800-0000-63f568ad0000\"",
+ "2f33cb73-78b6-4886-8434-f319deea8d62": "\"3500146a-0000-0800-0000-63f568be0000\"",
+ "9d356cdc-fd63-4071-bc5b-f06d5effc36f": "\"35001a6a-0000-0800-0000-63f568e30000\"",
+ "e669ef82-838e-40b8-8423-efd8303206c6": "\"3500206a-0000-0800-0000-63f568fe0000\"",
+ "beb39f94-ac53-4ab4-b1c2-7b591497b571": "\"3500246a-0000-0800-0000-63f569120000\"",
+ "20412a8c-a3a7-41a5-8620-6d4c724d3092": "\"35002b6a-0000-0800-0000-63f569290000\"",
+ "595b910c-156b-4a20-996e-06c50a217133": "\"3500486a-0000-0800-0000-63f569430000\"",
+ "22cf036c-2193-4352-9fb5-869ed7dc00a6": "\"35004d6a-0000-0800-0000-63f569580000\"",
+ "a0ee0fdf-b347-449d-8cdb-b750cc062e02": "\"3500516a-0000-0800-0000-63f5696c0000\"",
+ "2c3d7a74-362a-4a6e-836a-279bc1fd8813": "\"3500756a-0000-0800-0000-63f5697e0000\"",
+ "32d3c923-7729-41bc-8b18-790e97726d79": "\"35008d6a-0000-0800-0000-63f569920000\"",
+ "49325680-a0e6-4b0d-b9ea-cc4991de4c73": "\"3500ba6a-0000-0800-0000-63f569aa0000\"",
+ "d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d": "\"3500ce6a-0000-0800-0000-63f569df0000\"",
+ "34be0f95-d845-4501-a64f-3f272d3e7d52": "\"3500d16a-0000-0800-0000-63f569f30000\"",
+ "5fa2554b-b319-4605-ad60-92601ac5d7ba": "\"3500e76a-0000-0800-0000-63f56a0a0000\"",
+ "ab212c5e-07ce-439e-a2d3-cba34ff1cc1d": "\"3500006b-0000-0800-0000-63f56a240000\"",
+ "58d21291-77aa-4e73-9603-1cefbe80b39c": "\"35002e6b-0000-0800-0000-63f56a9d0000\"",
+ "eba9eb63-e5e8-4617-87f7-492aedad803a": "\"3500396b-0000-0800-0000-63f56ab20000\"",
+ "bedfc0cf-b75b-4574-9de6-1b38a51fc987": "\"3500496b-0000-0800-0000-63f56ac90000\"",
+ "ed27aa54-2adc-4774-ae30-6f84a1de0213": "\"3a004472-0000-0800-0000-63f81ea90000\"",
+ "7c192267-ac8a-4182-9336-f5e7647fe9e5": "\"1f00d02a-0000-0800-0000-63e711b10000\"",
+ "63d1052b-e396-4366-a76f-4665b4b8f319": "\"2500f8ce-0000-0800-0000-63ec43700000\"",
+ "927ca451-fe12-4de3-983d-bd50cc359b7f": "\"250013cf-0000-0800-0000-63ec43920000\"",
+ "895522a3-ae18-4771-add7-334f7b4a3124": "\"25007dd2-0000-0800-0000-63ec492b0000\"",
+ "fcd7bae2-0354-454d-9884-18880ff95fe8": "\"2500e9d2-0000-0800-0000-63ec4ad60000\"",
+ "02ca5f41-a642-413b-aec0-51b9e20cce8a": "\"35008869-0000-0800-0000-63f567280000\"",
+ "8ccf4287-558c-445f-9331-ebb58c2be800": "\"35006b6b-0000-0800-0000-63f56ae90000\"",
+ "0a9646c6-c11c-4190-83be-ff0440581ebd": "\"35006f6b-0000-0800-0000-63f56afc0000\"",
+ "324b11f6-6382-45b4-934b-3f60ff4457a3": "\"3500756b-0000-0800-0000-63f56b240000\"",
+ "8e6cbbe1-93ba-45ab-8731-82d2802a60df": "\"3500796b-0000-0800-0000-63f56b360000\"",
+ "c3ec0a36-7cf7-47df-a82c-fc32720db69f": "\"35007d6b-0000-0800-0000-63f56b490000\"",
+ "fe7d80f1-5bd1-409b-89df-c48b2f340b80": "\"35008b6b-0000-0800-0000-63f56b5c0000\"",
+ "0f5a5c06-ca09-4075-890a-e46be2ee412a": "\"35009a6b-0000-0800-0000-63f56b6e0000\"",
+ "64c74af9-0412-4732-89f8-86f46e4897eb": "\"3500b56b-0000-0800-0000-63f56b820000\"",
+ "3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646": "\"3500bb6b-0000-0800-0000-63f56b950000\"",
+ "1ef21999-d53f-4840-bde9-6b90ee767bb7": "\"3500da6b-0000-0800-0000-63f56bb00000\"",
+ "6392295f-31e9-45da-8c14-5554a2b3fb7c": "\"3500f76b-0000-0800-0000-63f56bc10000\"",
+ "1217fe0b-489f-434b-9c6d-877c44610d0b": "\"3500fb6b-0000-0800-0000-63f56bd40000\"",
+ "86475faa-04ff-4383-86b2-ebca93ca8097": "\"3500136c-0000-0800-0000-63f56be60000\"",
+ "52bb7be6-1fb5-424b-bb24-84d427d91626": "\"35002a6c-0000-0800-0000-63f56c030000\"",
+ "4af76a04-0e2a-4892-ae63-3de3b4e9ead2": "\"35002f6c-0000-0800-0000-63f56c210000\"",
+ "a0021314-e49e-45d9-801f-e7bca20e9046": "\"3500336c-0000-0800-0000-63f56c320000\"",
+ "84cfa531-ea08-4c84-a1a1-d85c55c45f06": "\"3500376c-0000-0800-0000-63f56c4a0000\"",
+ "89bbc939-d47e-4b36-82dc-bcec562f0763": "\"3500486c-0000-0800-0000-63f56c5c0000\"",
+ "6f4474f5-8c95-4248-a56d-510a85fb07b3": "\"35006e6c-0000-0800-0000-63f56c780000\"",
+ "91d5304a-0628-4ab8-9c57-670bb4da620b": "\"35007c6c-0000-0800-0000-63f56c8b0000\"",
+ "8cfd3e23-2616-4c6f-b061-a8e47d0536bb": "\"35008d6c-0000-0800-0000-63f56c9f0000\"",
+ "2636af24-3225-405a-aa4b-7b455f326445": "\"35009e6c-0000-0800-0000-63f56cbb0000\"",
+ "9abf000c-f4ad-413f-9cd7-405d95349988": "\"3500a66c-0000-0800-0000-63f56cd50000\"",
+ "6e485f07-3a11-4eb5-ac2a-d1b82aca8c62": "\"3500b56c-0000-0800-0000-63f56ce70000\"",
+ "fd68f806-d8b0-4c8f-aa0f-3b78b59f157f": "\"3500cd6c-0000-0800-0000-63f56cfa0000\"",
+ "704b2418-b2bd-4b4a-8f9e-cf47562e133d": "\"3500d16c-0000-0800-0000-63f56d0c0000\"",
+ "b3345cc6-ee8c-46d4-abc9-8adae4b877d1": "\"3500e26c-0000-0800-0000-63f56d270000\"",
+ "3aa3ab52-566f-46a0-a5c9-caba62eaa518": "\"3500e96c-0000-0800-0000-63f56d3b0000\"",
+ "cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0": "\"3500ed6c-0000-0800-0000-63f56d4d0000\"",
+ "9df8fa13-f28b-41d5-8065-9d7e234aaa26": "\"3500f16c-0000-0800-0000-63f56d660000\"",
+ "c20c6d74-5470-4242-a748-d5625abb65b1": "\"3500f56c-0000-0800-0000-63f56d790000\"",
+ "340041fc-2cb7-423b-9da9-ec04a258f864": "\"3500f86c-0000-0800-0000-63f56d8b0000\"",
+ "d012df68-9c36-431a-acc1-704063e21101": "\"3500fb6c-0000-0800-0000-63f56d9d0000\"",
+ "bb49283b-b564-43d4-868c-2a6186144d8e": "\"3500186d-0000-0800-0000-63f56db20000\"",
+ "fa482a76-22d1-469d-8a47-510e71286ddd": "\"35001d6d-0000-0800-0000-63f56dc30000\"",
+ "bb0035d3-3ac9-40d5-976e-6076f906473c": "\"3500216d-0000-0800-0000-63f56dda0000\"",
+ "61a3f08d-ad2d-49cb-baac-9edc6235e968": "\"3500256d-0000-0800-0000-63f56df20000\"",
+ "f88f852a-b2cb-4e34-b282-36549eb50b2b": "\"35002b6d-0000-0800-0000-63f56e090000\"",
+ "efe3369b-f57f-4fb2-9570-d7a9fe32b526": "\"35002f6d-0000-0800-0000-63f56e1f0000\"",
+ "2950dda7-bc3f-4e83-9528-80df8dbe1368": "\"3500466d-0000-0800-0000-63f56e350000\"",
+ "e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e": "\"3500576d-0000-0800-0000-63f56e4f0000\"",
+ "fe861c55-a355-4af2-8e9e-2e2d8f7a68d9": "\"35005c6d-0000-0800-0000-63f56e620000\"",
+ "b63935f5-aae3-45b5-bd0d-f2da794fd126": "\"35005f6d-0000-0800-0000-63f56e750000\"",
+ "57b338f9-1c0e-42ee-9b56-1af8886e2047": "\"3500626d-0000-0800-0000-63f56e860000\"",
+ "ce11fda8-f604-4547-af58-fa313e8a8146": "\"3500676d-0000-0800-0000-63f56e990000\"",
+ "3d7a19b1-33bc-429e-b5d3-b6d0ab02216c": "\"35006d6d-0000-0800-0000-63f56eb30000\"",
+ "b131e363-3009-4942-a35c-14d5c7284ead": "\"3500706d-0000-0800-0000-63f56ec70000\"",
+ "916dae72-d95a-41c4-9370-30ff57177fbf": "\"3500736d-0000-0800-0000-63f56eda0000\"",
+ "066d6852-04de-4dab-9b95-bd3d2835a859": "\"3500776d-0000-0800-0000-63f56eed0000\"",
+ "b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b": "\"35007c6d-0000-0800-0000-63f56f050000\"",
+ "fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2": "\"3500816d-0000-0800-0000-63f56f180000\"",
+ "c34a8927-e01b-4de6-ae5f-52fb6ac204f9": "\"3500866d-0000-0800-0000-63f56f2b0000\"",
+ "00f4fd35-801a-4996-a1c5-bde58605be5c": "\"35008b6d-0000-0800-0000-63f56f3d0000\"",
+ "e901d93b-d192-4fac-8c53-9e023b8ef3c0": "\"35008e6d-0000-0800-0000-63f56f500000\"",
+ "74131d4a-83fd-4606-a5f4-71dc1d169a3d": "\"3500926d-0000-0800-0000-63f56f630000\"",
+ "91011f1e-3186-450d-9cd7-83e9c840508a": "\"3500996d-0000-0800-0000-63f56f760000\"",
+ "4b4b2f57-ace1-4d2d-9793-942442bc9668": "\"3500a06d-0000-0800-0000-63f56f8d0000\"",
+ "d4f0a426-2354-416f-9999-b8d28d3e93ed": "\"3500a36d-0000-0800-0000-63f56fa00000\"",
+ "370b2ef6-5d11-4827-a36a-eadd0cd821fe": "\"3500a66d-0000-0800-0000-63f56fb20000\"",
+ "9798584d-ebeb-4a0d-89f1-df23ee5a9edf": "\"3500aa6d-0000-0800-0000-63f56fc70000\"",
+ "51c23e70-6d7e-47c5-87b0-e798a636931d": "\"3500ad6d-0000-0800-0000-63f56fd80000\"",
+ "7e19583d-27e1-41c2-90a9-3f813155c6ce": "\"3500b26d-0000-0800-0000-63f56fea0000\"",
+ "a9e6f155-4049-4401-89e3-a9f769675eb6": "\"3500b66d-0000-0800-0000-63f56ffe0000\"",
+ "4f1de90b-7ff1-441a-af02-0a2a86ca9848": "\"3500ba6d-0000-0800-0000-63f570130000\"",
+ "9199567e-9c5d-4078-8f0f-40e9d4d5836c": "\"3500c56d-0000-0800-0000-63f570280000\"",
+ "66ee9d45-4e7e-4b0d-a361-377cd3662750": "\"3500d26d-0000-0800-0000-63f5703f0000\"",
+ "94d72012-0846-4f42-9d26-51f9cdb2fa6e": "\"3500d86d-0000-0800-0000-63f570530000\"",
+ "697575c4-83f0-4d98-9594-b6f254db566a": "\"3500db6d-0000-0800-0000-63f570680000\"",
+ "454abbc9-3d65-4dfb-9446-0af12f681192": "\"3500e06d-0000-0800-0000-63f570850000\"",
+ "7d070056-c31e-46a3-8ab6-299510132e4f": "\"3500e66d-0000-0800-0000-63f5709a0000\"",
+ "80e77d48-d0f1-4d7d-bb68-2ad8123ba8db": "\"3500ef6d-0000-0800-0000-63f570ae0000\"",
+ "bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b": "\"3500f46d-0000-0800-0000-63f570c40000\"",
+ "3c746716-20a6-46bd-98fd-d5c9d0aa1553": "\"3500f76d-0000-0800-0000-63f570d70000\"",
+ "8ed981a2-337b-4542-a371-3968ac93f923": "\"3500fd6d-0000-0800-0000-63f570ef0000\"",
+ "55f68d39-f930-44bd-acb6-4eddd9007237": "\"3500546e-0000-0800-0000-63f571060000\"",
+ "b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3": "\"35009f6e-0000-0800-0000-63f5711c0000\"",
+ "35efaa1c-ca0f-4fc8-b30b-993f1502dadc": "\"3500be6e-0000-0800-0000-63f571300000\"",
+ "4416b145-266e-461b-b5bf-c346069f404e": "\"3500ee6e-0000-0800-0000-63f571490000\"",
+ "47a5442c-c3e1-4a44-829b-a0fce5ffdb54": "\"3500196f-0000-0800-0000-63f571650000\"",
+ "7aa0650e-f8b6-4737-9894-85f684aa5d18": "\"3500506f-0000-0800-0000-63f571840000\"",
+ "5fcaa294-5c2f-495c-acf4-f6a93b6589f9": "\"35006b6f-0000-0800-0000-63f571960000\"",
+ "3838a2fe-0433-432b-8f34-fd48f0930148": "\"3500886f-0000-0800-0000-63f571ae0000\"",
+ "fddce345-91bc-4cba-82f9-af733f7cdc69": "\"3500a46f-0000-0800-0000-63f571c10000\"",
+ "b26de50a-8f22-4454-ae13-6442ac7decad": "\"3500d86f-0000-0800-0000-63f571d40000\"",
+ "b59ad89c-249e-462f-ac68-c23a93202fa3": "\"3500fb6f-0000-0800-0000-63f571e60000\"",
+ "6fbd8942-976f-4b19-94c6-785e9f05136e": "\"35002c70-0000-0800-0000-63f572350000\"",
+ "3f40377b-15d8-490f-a8d7-82c385f81829": "\"35003070-0000-0800-0000-63f5724a0000\"",
+ "e557ae74-ef8a-4bab-b807-959486942ceb": "\"35003570-0000-0800-0000-63f572630000\"",
+ "9578ea47-ee34-4289-9aa2-05630ecf2f1b": "\"35003a70-0000-0800-0000-63f572760000\"",
+ "e52bd802-3e96-4391-8b7f-c57e58539370": "\"35004e70-0000-0800-0000-63f5729e0000\"",
+ "aaa53051-1af4-42d9-a523-c08752580ade": "\"35005c70-0000-0800-0000-63f572b60000\"",
+ "cda14730-b43b-4099-a785-6145306928b9": "\"35006070-0000-0800-0000-63f572cb0000\"",
+ "af136dbc-b98a-4c3b-9842-e076768ae2a1": "\"35006470-0000-0800-0000-63f572e20000\"",
+ "1c6090a0-fa8a-4ebe-b8b2-5576114a384f": "\"35006c70-0000-0800-0000-63f572f40000\"",
+ "1e944163-f959-46f8-9760-95a54652437b": "\"35007d70-0000-0800-0000-63f5730b0000\"",
+ "fd618de1-e892-433a-9bc3-4d5d94edf017": "\"35008070-0000-0800-0000-63f5731e0000\"",
+ "8ef3b755-c57d-4103-8ad3-7536adbdd953": "\"35008770-0000-0800-0000-63f573360000\"",
+ "61cf974b-9170-4e7e-9c13-f801cce8b2c2": "\"35009370-0000-0800-0000-63f573850000\"",
+ "85e14dab-bc47-4f28-810f-47db9aa5896f": "\"35009970-0000-0800-0000-63f5739c0000\"",
+ "b4b19b2b-c30f-4f25-b5d5-762e7ceeef99": "\"35009d70-0000-0800-0000-63f573b40000\"",
+ "8d2677a1-dcf3-42b1-848b-a0a7055016d8": "\"3500a270-0000-0800-0000-63f573cb0000\"",
+ "6ee20e13-a511-42e0-beb8-020666b7071c": "\"3500a870-0000-0800-0000-63f573e20000\"",
+ "1d14a23e-7c19-4d9b-8775-eb282774958d": "\"3500ab70-0000-0800-0000-63f573f50000\"",
+ "6cef2de7-424f-4297-b732-b8985477fb7e": "\"3500af70-0000-0800-0000-63f5740b0000\"",
+ "c5141be2-18ae-4afc-a9f5-b07e5746cee1": "\"3500b770-0000-0800-0000-63f574220000\"",
+ "c110f9e8-7ac6-496f-8df7-da0c413e767e": "\"3500db70-0000-0800-0000-63f5743d0000\"",
+ "c5b4fb13-738e-4591-a704-741486688b20": "\"3500ec70-0000-0800-0000-63f574540000\"",
+ "a0ae8d0a-38d8-441f-b491-134cf3151846": "\"3500f370-0000-0800-0000-63f5746c0000\"",
+ "460cbcbe-314d-4841-8398-6926043768b8": "\"3500f670-0000-0800-0000-63f5747e0000\"",
+ "9aa5f4c8-b3ad-458f-92e4-d4cf21948c59": "\"35000471-0000-0800-0000-63f574d50000\"",
+ "f34bfe11-29ce-41f8-9a1e-167cd3302d0e": "\"35000771-0000-0800-0000-63f574ec0000\"",
+ "3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f": "\"35000d71-0000-0800-0000-63f574fe0000\"",
+ "a4d01245-f322-4861-9ffe-1c410aa9dfaa": "\"35001071-0000-0800-0000-63f575110000\"",
+ "1b94b9a2-ddd7-4d88-949e-ac13cf28b454": "\"35001571-0000-0800-0000-63f5752c0000\"",
+ "6e9a6f1b-a40e-4ffa-974d-3ab5d675c531": "\"35001871-0000-0800-0000-63f5753e0000\"",
+ "ff44fc3f-4e22-4c9c-94d9-645c7644d2ca": "\"35002071-0000-0800-0000-63f575510000\"",
+ "de4a8f18-acf0-4738-a6b2-2302216fdf48": "\"35002571-0000-0800-0000-63f575620000\"",
+ "c84de391-2133-43e6-af89-27b021feaf75": "\"35003171-0000-0800-0000-63f5757b0000\"",
+ "bbcf3e06-84cb-4bb0-813b-f4f9ce090bab": "\"35003671-0000-0800-0000-63f575920000\"",
+ "941e3a2b-8eed-4cb4-afba-1322838fcbb2": "\"35003a71-0000-0800-0000-63f575a90000\"",
+ "e0adc565-7cd3-47f0-9027-c700df43303a": "\"35003d71-0000-0800-0000-63f575be0000\"",
+ "14c4920e-9a71-4680-aa78-da32072e8dc2": "\"35004871-0000-0800-0000-63f575d60000\"",
+ "22a677eb-9971-4b78-8082-0061d9a975fd": "\"35004c71-0000-0800-0000-63f575e90000\"",
+ "fe80d1cc-65a1-400c-a5d5-5a5decf74f31": "\"35005271-0000-0800-0000-63f576020000\"",
+ "a13c922b-fe7c-476e-a586-edaab2219e57": "\"35005e71-0000-0800-0000-63f576540000\"",
+ "ceb7fe01-21a7-4ffb-b8f0-ac29b991da50": "\"35006371-0000-0800-0000-63f576660000\"",
+ "dfbb9a20-254e-4c70-a302-0ba22da59117": "\"35006971-0000-0800-0000-63f576790000\"",
+ "6dff9c6d-c191-4e5b-a308-a0906a23752d": "\"35007471-0000-0800-0000-63f576900000\"",
+ "b7e581ff-451f-4e85-97fd-f22c8be96580": "\"35007c71-0000-0800-0000-63f576a30000\"",
+ "7ee415a8-0c09-46a1-b75d-9223de562a12": "\"35008171-0000-0800-0000-63f576b40000\"",
+ "049d9663-9edb-4269-8bfa-340896d5cfe4": "\"35008771-0000-0800-0000-63f576c70000\"",
+ "26ed4120-b9df-487e-bf25-3f179ebf75f4": "\"35008a71-0000-0800-0000-63f576df0000\"",
+ "9d781e96-280e-4760-8a74-e28bcd7ef128": "\"35008e71-0000-0800-0000-63f576f20000\"",
+ "3421562d-ac3e-42dc-9d90-e751868bb424": "\"35009471-0000-0800-0000-63f577050000\"",
+ "22b9eab7-3edd-483a-8aca-5568e23dad78": "\"35009871-0000-0800-0000-63f5771d0000\"",
+ "2397d157-f3c4-485d-acd3-008ab8612c60": "\"35009e71-0000-0800-0000-63f5773e0000\"",
+ "67e76653-affb-4264-9b2a-0dd5f5fc2835": "\"3500a271-0000-0800-0000-63f577560000\"",
+ "303d53fd-b132-45bc-9dc9-8852122a64b9": "\"3500a571-0000-0800-0000-63f577690000\"",
+ "4f5a652f-bec8-4112-8f7b-531ff30dfd75": "\"3500aa71-0000-0800-0000-63f5777b0000\"",
+ "1f0221ac-cee3-4eae-801f-c725df4b9f27": "\"3500b471-0000-0800-0000-63f5778f0000\"",
+ "150bcc1a-7788-4624-a9d9-1b05b0fc7051": "\"3500eb71-0000-0800-0000-63f577a30000\"",
+ "929e1a28-c623-44b1-a8ef-7a1739b9bba1": "\"3500f171-0000-0800-0000-63f577b70000\"",
+ "3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75": "\"35000472-0000-0800-0000-63f577cc0000\"",
+ "be59c13c-c811-4444-9a72-b69c713672b1": "\"35000c72-0000-0800-0000-63f577fc0000\"",
+ "e857375b-b96a-4757-a5a6-c0ed478ee5de": "\"35001072-0000-0800-0000-63f578110000\"",
+ "80491722-4553-4683-a9a0-8f14ea6dfe08": "\"35001472-0000-0800-0000-63f578230000\"",
+ "6e16dc82-ea01-41d5-aa55-6390a418421d": "\"35001772-0000-0800-0000-63f578370000\"",
+ "e3d218b4-cb49-40bb-ac39-4892088ba6c1": "\"35001c72-0000-0800-0000-63f5784a0000\"",
+ "349c1b39-5c33-4d6f-b5a5-580083a77cd3": "\"35003772-0000-0800-0000-63f5785e0000\"",
+ "7fd08f98-0dbf-4604-853a-76a610cc9c0d": "\"35003b72-0000-0800-0000-63f578710000\"",
+ "9d680f1a-5c96-48c6-8662-3604bfe61eb2": "\"35004172-0000-0800-0000-63f5788b0000\"",
+ "c895ed04-d628-4d7d-ad3d-63afd80aa2a9": "\"35004672-0000-0800-0000-63f5789e0000\"",
+ "3c5c78d4-a787-4c7c-9da1-a1244a9878b4": "\"35004a72-0000-0800-0000-63f578b10000\"",
+ "742ae0bd-633c-4f38-804b-3ed926117077": "\"35008872-0000-0800-0000-63f578c80000\"",
+ "57d051c8-0108-455a-9a94-bfa7c7c8e565": "\"3500aa72-0000-0800-0000-63f578df0000\"",
+ "ad713bda-ef00-4837-b0ee-4c955214d0a6": "\"3500b472-0000-0800-0000-63f578f20000\"",
+ "495ef656-bd0f-4a92-a97c-17eab3d1b0b1": "\"3500ca72-0000-0800-0000-63f579030000\"",
+ "604dfab2-c845-4910-876f-76dce9eb58cb": "\"3500d872-0000-0800-0000-63f579550000\"",
+ "3700252b-2d09-4ca1-ba8d-5b070add4fbc": "\"3500de72-0000-0800-0000-63f579670000\"",
+ "bc28747a-f907-4cf8-b2e2-099b4663b67e": "\"3500e472-0000-0800-0000-63f5797b0000\"",
+ "a414027e-9d31-4716-84b5-41bc3cefbde1": "\"3500fe72-0000-0800-0000-63f5798f0000\"",
+ "2985b2db-a13a-4ec0-9606-dc6c837a6dd8": "\"35001173-0000-0800-0000-63f579a10000\"",
+ "2fd7979f-6d09-463b-828c-be33fc9ccfbb": "\"35001773-0000-0800-0000-63f579bf0000\"",
+ "ee08a1b6-de2e-4397-bb4a-9d434ad24ee3": "\"35001f73-0000-0800-0000-63f579d20000\"",
+ "dece78df-9bea-4625-9457-d4a37e01a4a8": "\"35002473-0000-0800-0000-63f579e60000\"",
+ "8a5e860b-05d8-47b1-bb76-f690d926ab12": "\"35002a73-0000-0800-0000-63f579f90000\"",
+ "6587f4a3-260a-470f-a372-fd7d879e9772": "\"35003273-0000-0800-0000-63f57a0b0000\"",
+ "63037f09-9e99-49da-909e-f384f84b9738": "\"35003c73-0000-0800-0000-63f57a230000\"",
+ "5a658bc2-1c28-40d4-be6d-fb228e071c1b": "\"3a006471-0000-0800-0000-63f81e920000\""
+}
\ No newline at end of file
From 16978d3ac248eab343c963fbb259017bbe192e2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:03 +0000
Subject: [PATCH 002/375] Exported file: (Preview) Microsoft Threat
Intelligence Analytics.json.json
---
...crosoft Threat Intelligence Analytics.json | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
diff --git a/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
new file mode 100644
index 00000000..37b219cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
@@ -0,0 +1,30 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "ThreatIntelligence",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "alertRuleTemplateName": "0dd422ee-e6af-4204-b219-f59ac172e4c6",
+ "severity": "Medium",
+ "tactics": [
+ "Persistence",
+ "LateralMovement"
+ ],
+ "techniques": [],
+ "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
+ "enabled": true,
+ "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts."
+ }
+ }
+ ]
+}
\ No newline at end of file
From 312f6fb1d99af4db8c527c57b0adc69bfeae5d90 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:04 +0000
Subject: [PATCH 003/375] Exported file: (Preview) TI map Domain entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..aa9fd169
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\nDomainTIs\n | join (\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map Domain entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any Domain IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5b32cee6567e1f08f647cc11a4035fbe26505aa6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:05 +0000
Subject: [PATCH 004/375] Exported file: (Preview) TI map IP entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..34e28555
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = (ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"\")\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\n | extend tilist = toscalar(TI_IP_List)\n | mv-expand tilist\n | extend SingleIP=tostring(tilist)\n | project-away tilist\n | where has_ipv4(DnsResponseName, SingleIP)\n | extend DNS_TimeGenerated = TimeGenerated\n| join IP_TI\n on $left.SingleIP == $right.TI_ipEntity\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map IP entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any IP IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "67775878-7f8b-4380-ac54-115e1e828901"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 88fef9d9b0db47f87cfde6f68f39575996865fd2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:07 +0000
Subject: [PATCH 005/375] Exported file: (Private Preview) Insider Risk
Management_ Sensitive Data Access Outside Organizational
Geolocations.json.json
---
...s Outside Organizational Geolocations.json | 64 +++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
diff --git a/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
new file mode 100644
index 00000000..45aed148
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
@@ -0,0 +1,64 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT7H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "// Rule Name - (Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations\r\n// Rule Description - Sensitive Data Access Outside Organziational Geolocations\r\n// Prerequisite 1: Onboard Azure Infomation Protection (https://docs.microsoft.com/en-us/azure/information-protection/requirements)\r\n// Prerequisite 2: Install AIP Unified Labeling Scanner (https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner)\r\n// Prerequisite 3: Enable Azure Information Protection Connector (https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-information-protection)\r\n// Prerequisite 4: Enable Azure Active Directory Connector (hhttps://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)\r\nInformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n// | where City <> \"New York\" // Configure Location Details within Organizational Requirements\r\n| extend State = tostring(LocationDetails.state)\r\n// | where State <> \"Texas\" // Configure Location Details within Organizational Requirements\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n// | where Country_Region <> \"US\" // Configure Location Details within Organizational Requirements\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "customDetails": {
+ "Activity": "Activity_s",
+ "Where": "City"
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "AadUserId",
+ "columnName": "UserPrincipalName"
+ }
+ ]
+ }
+ ],
+ "tactics": [],
+ "techniques": null,
+ "displayName": "(Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations",
+ "enabled": false,
+ "description": "Sensitive Data Access Outside Organziational Geolocations",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9c5efbc74553aea1ecea562b489cca18b3aae677 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:07 +0000
Subject: [PATCH 006/375] Exported file: A client made a web request to a
potentially harmful file (ASIM Web Session schema).json.json
---
...armful file (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
new file mode 100644
index 00000000..edcb1bd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\nimWebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced SIEM information Model (ASIM).\nTo use this analytics rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM)",
+ "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b28ed808f96f42d709ce957212fb5f655dae74f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:08 +0000
Subject: [PATCH 007/375] Exported file: A host is potentially running
PowerShell to send HTTP(S) requests (ASIM Web Session schema).json.json
---
...S) requests (ASIM Web Session schema).json | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
new file mode 100644
index 00000000..ee78f037
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
@@ -0,0 +1,52 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5aab48991f21d0580b9a9dd3544eed0be1189cfd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:09 +0000
Subject: [PATCH 008/375] Exported file: A host is potentially running a crypto
miner (ASIM Web Session schema).json.json
---
...rypto miner (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
new file mode 100644
index 00000000..deeead3f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Cryptominer\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a crypto miner (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the Advanced SIEM Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "8cbc3215-fa58-4bd6-aaaa-f0029c351730"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6bf6a1349cd45c06a66d16e0156535a3b92aec47 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:10 +0000
Subject: [PATCH 009/375] Exported file: A host is potentially running a
hacking tool (ASIM Web Session schema).json.json
---
...acking tool (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
new file mode 100644
index 00000000..36756c66
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Hacking Tool\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a hacking tool (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "3f0c20d5-6228-48ef-92f3-9ff7822c1954"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 446cd6c9439245c85d09984e0852ab6575bdbf7a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:10 +0000
Subject: [PATCH 010/375] Exported file: A potentially malicious web request
was executed against a web server.json.json
---
...est was executed against a web server.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
diff --git a/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
new file mode 100644
index 00000000..4ba5f88b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mode = 'Blocked'; \nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet minTime = ago(1d);\nlet maxSessionWindow = 1h;\nlet sessionBin = maxSessionWindow/2.0;\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayFirewallLog'\n| where action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\n| extend duration = maxTime - minTime\n| extend TimeKey = bin(SessionStarted, sessionBin)\n| join kind = inner(\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayAccessLog'\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\")\n| extend serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| where SessionBlockedCount > SuccessfulAccessLogCount \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A potentially malicious web request was executed against a web server",
+ "enabled": false,
+ "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+ "alertRuleTemplateName": "46ac55ae-47b8-414a-8f94-89ccd1962178"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 198b34030d80a7ba5ee8db543341d0414894ca39 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:11 +0000
Subject: [PATCH 011/375] Exported file: AD FS Remote Auth Sync
Connection.json.json
---
.../AD FS Remote Auth Sync Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
new file mode 100644
index 00000000..d8e5a274
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\n//let adfsuser = 'adfsadmin';\n// Identify ADFS Servers\nlet ADFS_Servers = (\n SecurityEvent\n //| where TimeGenerated > ago(timeframe+lookback)\n | where EventSourceName == 'AD FS Auditing'\n | distinct Computer\n);\nSecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\n // for relying party '-' was successfully authenticated.\n | where EventID == 412\n | extend EventData = parse_xml(EventData).EventData.Data\n | extend InstanceId = tostring(EventData[0])\n| join kind=inner\n(\n SecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // Events to identify caller identity from event 412\n | where EventID == 501\n | extend EventData = parse_xml(EventData).EventData.Data\n | where tostring(EventData[1]) contains 'identity/claims/name'\n | extend InstanceId = tostring(EventData[0])\n | extend ClaimsName = tostring(EventData[2])\n // Filter on the use of a specific AD FS user account\n //| where ClaimsName contains adfsuser\n)\non $left.InstanceId == $right.InstanceId\n| join kind=inner\n(\n SecurityEvent\n | where EventID == 5156\n | where Computer in~ (ADFS_Servers)\n | extend EventData = parse_xml(EventData).EventData.Data\n | mv-expand bagexpansion=array EventData\n | evaluate bag_unpack(EventData)\n | extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n | extend DestPort = column_ifexists(\"DestPort\", \"\"),\n Direction = column_ifexists(\"Direction\", \"\"),\n Application = column_ifexists(\"Application\", \"\"),\n DestAddress = column_ifexists(\"DestAddress\", \"\"),\n SourceAddress = column_ifexists(\"SourceAddress\", \"\"),\n SourcePort = column_ifexists(\"SourcePort\", \"\")\n // Look for inbound connections from endpoints on port 80\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') \n)\non $left.Computer == $right.Computer\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote Auth Sync Connection",
+ "enabled": false,
+ "description": "This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious authentication events on an AD FS server. The results then get\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\nsensitive information such as AD FS certificates.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 395f19921f8f884002dd7c642d254c60218f0954 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:12 +0000
Subject: [PATCH 012/375] Exported file: AD FS Remote HTTP Network
Connection.json.json
---
.../AD FS Remote HTTP Network Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
new file mode 100644
index 00000000..bd68ae23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// Filter out other servers in the AD FS farm\nlet ADFSServersList = dynamic([\"ADFS02.domain.com\",\"ADFS03.domain.com\"]);\n// Start by identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer !in (ADFSServersList)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer\n);\n// Look for ADFS servers receiving connections over port 80\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"), TechniqueId = column_ifexists(\"TechniqueId\", \"\"), TechniqueName = column_ifexists(\"TechniqueName\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n| where EventID == 3\n// Look for endpoints connecting to the AD FS server over port 80\n| extend DestinationPort = column_ifexists(\"DestinationPort\", \"\"), Image = column_ifexists(\"Image\", \"\"), Initiated = column_ifexists(\"Initiated\", \"\"), SourceIp = column_ifexists(\"DestinationIp\", \"\"), DestinationIp = column_ifexists(\"DestinationIp\", \"\")\n| where DestinationPort == 80\n| extend process = split(Image, '\\\\', -1)[-1]\n// Look for the System process receiving connections\n| where process == 'System' and Initiated == 'false'\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote HTTP Network Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "d57c33a9-76b9-40e0-9dfa-ff0404546410"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 00601e965866df6858ebdcd684db24f7a320d07d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:13 +0000
Subject: [PATCH 013/375] Exported file: AD account with Don't Expire
Password.json.json
---
...AD account with Don't Expire Password.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
diff --git a/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
new file mode 100644
index 00000000..f732ef14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nSecurityEvent\n| where EventID == 4738\n// 2089 value indicates the Don't Expire Password value has been set\n| where UserAccountControl has \"%%2089\" \n| extend Value_2089 = iff(UserAccountControl has \"%%2089\",\"'Don't Expire Password' - Enabled\", \"Not Changed\")\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \n| extend Value_2050 = iff(UserAccountControl has \"%%2050\",\"'Password Not Required' - Disabled\", \"Not Changed\")\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \n| extend Value_2082 = iff(UserAccountControl has \"%%2082\",\"'Password Not Required' - Enabled\", \"Not Changed\")\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD account with Don't Expire Password",
+ "enabled": false,
+ "description": "Identifies whenever a user account has the setting \"Password Never Expires\" in the user account properties selected.\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\n%%2089 resolves to \"Don't Expire Password - Enabled\".",
+ "alertRuleTemplateName": "6c360107-f3ee-4b91-9f43-f4cfd90441cf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 26818c593d0ac525e9da09027488dd5d9e4ac58b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:14 +0000
Subject: [PATCH 014/375] Exported file: AD user enabled and password not set
within 48 hours.json.json
---
... and password not set within 48 hours.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
diff --git a/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
new file mode 100644
index 00000000..f860a774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\n| order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD user enabled and password not set within 48 hours",
+ "enabled": false,
+ "description": "Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company policy.",
+ "alertRuleTemplateName": "62085097-d113-459f-9ea7-30216f2ee6af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f42fd7484951a0ce27c20a293b6e9daa3fe3a0dd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:14 +0000
Subject: [PATCH 015/375] Exported file: ADFS DKM Master Key Export.json.json
---
.../ADFS DKM Master Key Export.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
diff --git a/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
new file mode 100644
index 00000000..291cf211
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "(union isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '
Date: Mon, 27 Feb 2023 02:15:15 +0000
Subject: [PATCH 016/375] Exported file: ADFS Database Named Pipe
Connection.json.json
---
.../ADFS Database Named Pipe Connection.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
diff --git a/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
new file mode 100644
index 00000000..aff745de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 6d;\n// Adjust this to adjust the key export detection timeframe\n//let timeframe = 1d;\n// Start be identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer);\n// Look for ADFS servers where Named Pipes event are present\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"),\n TechniqueId = column_ifexists(\"TechniqueId\", \"\"),\n TechniqueName = column_ifexists(\"TechniqueName\", \"\"),\n Image = column_ifexists(\"Image\", \"\"),\n PipeName = column_ifexists(\"PipeName\", \"\"),\n EventType = column_ifexists(\"EventType\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n// Look for Pipe related to querying the WID\n| where PipeName == \"\\\\MICROSOFT##WID\\\\tsql\\\\query\"\n| extend process = split(Image, '\\\\', -1)[-1]\n// Exclude expected processes\n| where process !in (\"Microsoft.IdentityServer.ServiceHost.exe\", \"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\", \"AzureADConnect.exe\", \"Microsoft.Tri.Sensor.exe\", \"wsmprovhost.exe\",\"mmc.exe\", \"sqlservr.exe\")\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "ADFS Database Named Pipe Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\nFailed to resolve scalar expression named \"[@Name]\"",
+ "alertRuleTemplateName": "dcdf9bfc-c239-4764-a9f9-3612e6dff49c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 693d5b5da93e6b1883c80158126a753209ba036b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:16 +0000
Subject: [PATCH 017/375] Exported file: AWS Guard Duty Alert.json.json
---
.../AWS Guard Duty Alert.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
diff --git a/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
new file mode 100644
index 00000000..60586c45
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "AWS Guard Duty Alert",
+ "enabled": false,
+ "description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
+ "alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fa3dbf1e37c007be553baf87aeb9659c7f3adad2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:17 +0000
Subject: [PATCH 018/375] Exported file: Account Created and Deleted in Short
Timeframe.json.json
---
...reated and Deleted in Short Timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
diff --git a/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
new file mode 100644
index 00000000..a3a2cb27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName =~ \"Add user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| join kind=inner (AuditLogs\n| where OperationName =~ \"Delete user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\n| extend timedelta = TimeGenerated1 - TimeGenerated\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\n| where timedelta < timespan(24h) and timedelta > timespan(0h)\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account Created and Deleted in Short Timeframe",
+ "enabled": false,
+ "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
+ "alertRuleTemplateName": "bb616d82-108f-47d3-9dec-9652ea0d3bf6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 53d90b5a9c6c35bd93bd5cab80a7983b5ba76937 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:17 +0000
Subject: [PATCH 019/375] Exported file: Account added and removed from
privileged groups.json.json
---
...ed and removed from privileged groups.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
diff --git a/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
new file mode 100644
index 00000000..51ad12f9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet AC_Add = \nSecurityEvent\n// Event ID related to member addition.\n| where EventID in (4728, 4732,4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountAdded \",OU\" *\n| where isnotempty(AccountAdded)\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \"||\", GroupAddedTo, \"||\", AddingAccount )\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\nlet AC_Remove = \nSecurityEvent\n// Event IDs related to member removal.\n| where EventID in (4729,4733,4757)\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountRemoved \",OU\" * \n| where isnotempty(AccountRemoved)\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \"||\", GroupRemovedFrom, \"||\", RemovingAccount)\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \nAC_Add \n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\n| where DurationinSecondAfter_Removed > 0\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Account added and removed from privileged groups",
+ "enabled": false,
+ "description": "Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.",
+ "alertRuleTemplateName": "7efc75ce-e2a4-400f-a8b1-283d3b0f2c60"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d60acf309eec40718f91bebbfd6179126b1f5f0e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:18 +0000
Subject: [PATCH 020/375] Exported file: Account created or deleted by
non-approved user.json.json
---
...eated or deleted by non-approved user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
diff --git a/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
new file mode 100644
index 00000000..71abee6a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName == \"Add user\" or OperationName == \"Delete user\"\n| where Result == \"success\"\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account created or deleted by non-approved user",
+ "enabled": false,
+ "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
+ "alertRuleTemplateName": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7f7e0d4dbd766c73aaaf6204656b5dcf88890abb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:19 +0000
Subject: [PATCH 021/375] Exported file: Admin promotion after Role Management
Application Permission Grant.json.json
---
...nagement Application Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
new file mode 100644
index 00000000..fac376d0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"AppRole.Value\"\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where AppRole has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\n| join kind=innerunique (\n AuditLogs\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-expand TargetResources\n | mv-expand TargetResources.modifiedProperties\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n | where displayName_ =~ \"Role.DisplayName\"\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n | where RoleName contains \"Admin\"\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\n | extend TargetType = tostring(TargetResources.type)\n | extend TargetId = tostring(TargetResources.id)\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\n) on $left.TargetId == $right.InitiatorId\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\n| where TimeRoleMgGrant < TimeAdminPromo\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Admin promotion after Role Management Application Permission Grant",
+ "enabled": false,
+ "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "f80d951a-eddc-4171-b9d0-d616bb83efdc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 398fc15c9d55cf03263c09565befae8c13b129d5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:20 +0000
Subject: [PATCH 022/375] Exported file: Alert for IOCs related to Windows_ELF
malware - IP, Hash IOCs - September 2021.json.json
---
...ware - IP, Hash IOCs - September 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
diff --git a/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
new file mode 100644
index 00000000..2fbc7ec6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName in (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\nReference: \nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar",
+ "alertRuleTemplateName": "d992b87b-eb49-4a9d-aa96-baacf9d26247"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b877e42b4b38ce029d057b7afc550ca4b834a55a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:21 +0000
Subject: [PATCH 023/375] Exported file: Alsid Active Directory attacks
pathways.json.json
---
...sid Active Directory attacks pathways.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
new file mode 100644
index 00000000..892797cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Active Directory attacks pathways",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways",
+ "alertRuleTemplateName": "9649e203-3cb7-47ff-89a9-42f2a5eefe31"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0b3de678300cf783e529d7e18a855cf79a010b06 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:21 +0000
Subject: [PATCH 024/375] Exported file: Alsid DCShadow.json.json
---
.../Alsid DCShadow.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCShadow.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCShadow.json b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
new file mode 100644
index 00000000..177269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCShadow\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCShadow",
+ "enabled": false,
+ "description": "Searches for DCShadow attacks",
+ "alertRuleTemplateName": "25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77b2d4d8415c0beecef57745a5314966dc8c0034 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:22 +0000
Subject: [PATCH 025/375] Exported file: Alsid DCSync.json.json
---
.../Alsid DCSync.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCSync.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCSync.json b/SentinelExported-AnalyticsRule/Alsid DCSync.json
new file mode 100644
index 00000000..9b75999f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCSync.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCSync\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCSync",
+ "enabled": false,
+ "description": "Searches for DCSync attacks",
+ "alertRuleTemplateName": "d3c658bd-8da9-4372-82e4-aaffa922f428"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 332bf9f1eee5532f3cc02bb7d879de2e697c9fd3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:23 +0000
Subject: [PATCH 026/375] Exported file: Alsid Golden Ticket.json.json
---
.../Alsid Golden Ticket.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
new file mode 100644
index 00000000..605710d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Golden Ticket\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Golden Ticket",
+ "enabled": false,
+ "description": "Searches for Golden Ticket attacks",
+ "alertRuleTemplateName": "21ab3f52-6d79-47e3-97f8-ad65f2cb29fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f0ef3998109e9c278fdfd6cf755495a38b267a70 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:24 +0000
Subject: [PATCH 027/375] Exported file: Alsid Indicators of Attack.json.json
---
.../Alsid Indicators of Attack.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
new file mode 100644
index 00000000..eabbaa2e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 2\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Attack",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Attack",
+ "alertRuleTemplateName": "3caa67ef-8ed3-4ab5-baf2-3850d3667f3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2235247588a85e0451d6bf531c2c91ace730102b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:25 +0000
Subject: [PATCH 028/375] Exported file: Alsid Indicators of
Exposures.json.json
---
.../Alsid Indicators of Exposures.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
new file mode 100644
index 00000000..a3fa8625
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Exposures",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures",
+ "alertRuleTemplateName": "154fde9f-ae00-4422-a8da-ef00b11da3fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ab3edf1c392b4ade99487598517171f1b9e7a6c0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:25 +0000
Subject: [PATCH 029/375] Exported file: Alsid LSASS Memory.json.json
---
.../Alsid LSASS Memory.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
diff --git a/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
new file mode 100644
index 00000000..60c47531
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid LSASS Memory",
+ "enabled": false,
+ "description": "Searches for OS Credentials dumping attacks",
+ "alertRuleTemplateName": "3acf5617-7c41-4085-9a79-cc3a425ba83a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From efb3baa4625b63b0e45755820d7033daa5d35f53 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:26 +0000
Subject: [PATCH 030/375] Exported file: Alsid Password Guessing.json.json
---
.../Alsid Password Guessing.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Guessing.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Guessing.json b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
new file mode 100644
index 00000000..02fbf5c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Guessing",
+ "enabled": false,
+ "description": "Searches for bruteforce Password Guessing attacks",
+ "alertRuleTemplateName": "ba239935-42c2-472d-80ba-689186099ea1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 15e2f8df63c1bdca04e174dbc0e8f253d41d2b26 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:27 +0000
Subject: [PATCH 031/375] Exported file: Alsid Password Spraying.json.json
---
.../Alsid Password Spraying.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Spraying.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Spraying.json b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
new file mode 100644
index 00000000..a72493ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Spraying",
+ "enabled": false,
+ "description": "Searches for Password spraying attacks",
+ "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 50332279c5082654b71e1bbeaff451b523c8c544 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:28 +0000
Subject: [PATCH 032/375] Exported file: Alsid Password issues.json.json
---
.../Alsid Password issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password issues.json b/SentinelExported-AnalyticsRule/Alsid Password issues.json
new file mode 100644
index 00000000..e0ebdc4d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to password issues",
+ "alertRuleTemplateName": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 85980e60e39b19c35f137fad99575bcf3a139672 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:28 +0000
Subject: [PATCH 033/375] Exported file: Alsid privileged accounts
issues.json.json
---
.../Alsid privileged accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
new file mode 100644
index 00000000..41c05802
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid privileged accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to privileged accounts issues",
+ "alertRuleTemplateName": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1921c5838c90e0198cb2cdea3b84070f7f027fb2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:29 +0000
Subject: [PATCH 034/375] Exported file: Alsid user accounts issues.json.json
---
.../Alsid user accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid user accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid user accounts issues.json b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
new file mode 100644
index 00000000..07a811e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid user accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to user accounts issues",
+ "alertRuleTemplateName": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1e79d2fdaab361576856d66362e0ba1ce98ec125 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:30 +0000
Subject: [PATCH 035/375] Exported file: Anomalous User Agent connection
attempt.json.json
---
...omalous User Agent connection attempt.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
new file mode 100644
index 00000000..1eb976f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2397090-face-41f6-ae70-89fc66312292')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2397090-face-41f6-ae70-89fc66312292')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold = 100;\nW3CIISLog \n// Exclude local IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous User Agent connection attempt",
+ "enabled": false,
+ "description": "Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.",
+ "alertRuleTemplateName": "f845881e-2500-44dc-8ed7-b372af3e1e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5d1ea776d15151428d502c574cc9b50632daaf5c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:31 +0000
Subject: [PATCH 036/375] Exported file: Anomalous login followed by Teams
action.json.json
---
...malous login followed by Teams action.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
new file mode 100644
index 00000000..e49e899e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\n//The minimum number of countries that the account has been accessed from [default: 2]\nlet minimumCountries = 2;\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\nlet deltaThreshold = 95;\n//The maximum (%) threshold that the country appears in login data [default: 10]\nlet countryPrevalenceThreshold = 10;\n//The time to project forward after the last login activity [default: 60min]\nlet projectedEndTime = 60min; \n//Get Teams successful signins globally\nlet aadFunc = (tableName:string){\nlet signinData =\n table(tableName)\n | where AppDisplayName has \"Teams\"\n | where ConditionalAccessStatus =~ \"success\"\n | extend country = tostring(todynamic(LocationDetails)['countryOrRegion'])\n | where isnotempty(country) and isnotempty(IPAddress);\n// Collect successful signins to teams\nlet loginEvents = \n signinData\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\n//Calcualte delta between logins\nlet loginDelta =\n loginEvents\n | summarize max(count_), min(count_) by UserPrincipalName\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\n | where delta >= deltaThreshold;\n//Count number of countries used to sign in\nlet countryCount =\n loginEvents\n | summarize Countries = dcount(country) by UserPrincipalName;\n//Join delta and sign in counts to successful logins\nloginDelta\n| join kind=rightouter (\n loginEvents\n) on UserPrincipalName\n| join kind=rightouter (\n countryCount\n) on UserPrincipalName\n//Check where the record meets the minimum required countries\n| where Countries >= minimumCountries\n| join kind=leftouter (\n signinData\n | summarize count() by country\n | join (\n //Now get the total number of logins from any country and join it to the previous count in a single table\n signinData\n | summarize count() by country\n | summarize sum(count_), make_list(country)\n | mv-expand list_country\n | extend country = tostring(list_country)\n ) on country\n | summarize by country, count_, sum_count_\n //Now calculate each countries prevalence within login events\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\n | project-away sum_count_\n | order by prevalence\n) on country\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\n| where prevalence < countryPrevalenceThreshold\n| where min_count_ == count_\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\n| extend EventTimes = list_TimeGenerated\n| extend SuspiciousIP = IPAddress\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\n//Teams join to collect operations the user account has performed within the given time range\n| join kind=inner( \n OfficeActivity\n | where Operation in~ (\"TeamsAdminAction\", \"MemberAdded\", \"MemberRemoved\", \"MemberRoleChanged\", \"AppInstalled\", \"BotAddedToTeam\")\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\n) on $left.UserPrincipalName == $right.UserId\n| mv-expand StartTime = EventTimes\n| extend StartTime = make_datetime(StartTime)\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\n//Limit to operations carried out by the user account in the timeframe the IP was active\n| where OperationTime between (StartTime .. ProjectedEndTime)\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n//Filter on suspicious actions\n| extend activitySummary = pack(tostring(StartTime), pack(\"Operation\",tostring(Operation), \"OperationTime\", OperationTime))\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous login followed by Teams action",
+ "enabled": false,
+ "description": "Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.",
+ "alertRuleTemplateName": "2b701288-b428-4fb8-805e-e4372c574786"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 46786071261e92168e0bdb986a0989e69201f24e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:32 +0000
Subject: [PATCH 037/375] Exported file: Anomalous sign-in location by user
account and authenticating application.json.json
---
...ccount and authenticating application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
new file mode 100644
index 00000000..53c03dd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet lookBack_long = 7d;\nlet lookBack_med = 3d;\nlet lookBack = 1d;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_long))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n// Create time series \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \nby UserPrincipalName, AppDisplayName \n// Compute best fit line for each entry \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \n// Chart the 3 most interesting lines \n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\n| where Slope > 0.3\n| top 50 by Slope desc\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_med))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 0.3\n| top 50 by Slope desc\n) on UserPrincipalName, AppDisplayName\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 5\n| top 50 by Slope desc\n// Higher threshold requirement on last day anomaly\n) on UserPrincipalName, AppDisplayName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous sign-in location by user account and authenticating application",
+ "enabled": false,
+ "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \nDirectory application and picks out the most anomalous change in location profile for a user within an \nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\nover last day but also over the last 3-day and 7-day periods.\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\nIt is recommended that you test and tune this appropriately for the workspace.",
+ "alertRuleTemplateName": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 063e4e916245b6d73aeec7cc9f28a05cbc017b1e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:32 +0000
Subject: [PATCH 038/375] Exported file: AppServices AV Scan Failure.json.json
---
.../AppServices AV Scan Failure.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
new file mode 100644
index 00000000..9b8ca0c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where ScanStatus == \"Failed\"\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan Failure",
+ "enabled": false,
+ "description": "Identifies if an AV scan fails in Azure App Services.",
+ "alertRuleTemplateName": "c2da1106-bfe4-4a63-bf14-5ab73130ccd5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 25775b9dab58c85a3c660e571269547698cbf4af Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:34 +0000
Subject: [PATCH 039/375] Exported file: AppServices AV Scan with Infected
Files.json.json
---
...pServices AV Scan with Infected Files.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
new file mode 100644
index 00000000..798f4b14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan with Infected Files",
+ "enabled": false,
+ "description": "Identifies if an AV scan finds infected files in Azure App Services.",
+ "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6ad92f4596ff955d423258f606ec9aa43c1d14da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:35 +0000
Subject: [PATCH 040/375] Exported file: Attempt to bypass conditional access
rule in Azure AD.json.json
---
...s conditional access rule in Azure AD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
new file mode 100644
index 00000000..a5d22d05
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Attempt to bypass conditional access rule in Azure AD",
+ "enabled": false,
+ "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences: \nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
+ "alertRuleTemplateName": "3af9285d-bb98-4a35-ad29-5ea39ba0c628"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8ab3f091c61cbdc3bc6a66a2f96edf277f161aad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:36 +0000
Subject: [PATCH 041/375] Exported file: Attempts to sign in to disabled
accounts.json.json
---
...empts to sign in to disabled accounts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
new file mode 100644
index 00000000..38093f5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Attempts to sign in to disabled accounts",
+ "enabled": false,
+ "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c95f26b670340f76992bdd0d877c91a956914866 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:36 +0000
Subject: [PATCH 042/375] Exported file: Audit policy manipulation using
auditpol utility.json.json
---
...y manipulation using auditpol utility.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
diff --git a/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
new file mode 100644
index 00000000..9a038cca
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet AccountAllowList = dynamic(['SYSTEM']);\nlet SubCategoryList = dynamic([\"Logoff\", \"Account Lockout\", \"User Account Management\", \"Authorization Policy Change\"]); // Add any Category in the list to be allowed or disallowed\nlet tokens = dynamic([\"clear\", \"remove\", \"success:disable\",\"failure:disable\"]); \n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n//| where Process =~ \"auditpol.exe\" \n| where CommandLine has_any (tokens)\n| where AccountType !~ \"Machine\" and Account !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n// | where InitiatingProcessFileName =~ \"auditpol.exe\" \n| where InitiatingProcessCommandLine has_any (tokens)\n| where AccountName !in~ (AccountAllowList)\n| parse InitiatingProcessCommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n// | where OriginalFileName =~ \"auditpol.exe\"\n| where CommandLine has_any (tokens)\n| where User !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Audit policy manipulation using auditpol utility",
+ "enabled": false,
+ "description": "This detects attempt to manipulate audit policies using auditpol command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \nif the results show unrelated false positives, users may want to uncomment it.\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \nRefer to our M365 blog for details on use during the Solorigate attack:\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "alertRuleTemplateName": "66276b14-32c5-4226-88e3-080dacc31ce1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b4b064d326e03c4024058bcbc5e01f6383c737c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:37 +0000
Subject: [PATCH 043/375] Exported file: Authentication Methods Changed for
Privileged Account.json.json
---
...ethods Changed for Privileged Account.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
diff --git a/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
new file mode 100644
index 00000000..2a146d8f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles matches regex 'Admin'\n | summarize by tolower(AccountUPN));\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName =~ \"User registered security info\"\n| where LoggedByService =~ \"Authentication Methods\"\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(InitiatedBy.user.ipAddress)\n| where AccountCustomEntity in (VIPUsers)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Authentication Methods Changed for Privileged Account",
+ "enabled": false,
+ "description": "Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "694c91ee-d606-4ba9-928e-405a2dd0ff0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e969f3f990df4c2f6b033301f23d495b9fb6ebae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:38 +0000
Subject: [PATCH 044/375] Exported file: Azure AD Health Monitoring Agent
Registry Keys Access.json.json
---
...Monitoring Agent Registry Keys Access.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
new file mode 100644
index 00000000..dbd3607b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealth Monitoring Agent Registry Key\nlet aadHealthMonAgentRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n| summarize count() by ProcessName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Monitoring Agent Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\n",
+ "alertRuleTemplateName": "f819c592-c5f9-4d5c-a79f-1e6819863533"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 87a5a569be3dde1b032264725a0aa195eb70dd37 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:39 +0000
Subject: [PATCH 045/375] Exported file: Azure AD Health Service Agents
Registry Keys Access.json.json
---
...h Service Agents Registry Keys Access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
new file mode 100644
index 00000000..2e4c50df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealthAgent Registry Key\nlet aadConnectHealthRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Service Agents Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\n",
+ "alertRuleTemplateName": "06bbf969-fcbe-43fa-bac2-b2fa131d113a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 32b4b2031fce44899060a40cf1aad33e440221a9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:40 +0000
Subject: [PATCH 046/375] Exported file: Azure AD Role Management Permission
Grant.json.json
---
...e AD Role Management Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
new file mode 100644
index 00000000..0754cfd5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ has_any (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where Permission has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = iif(displayName_ =~ 'DelegatedPermissionGrant.Scope',\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Role Management Permission Grant",
+ "enabled": false,
+ "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "1ff56009-db01-4615-8211-d4fda21da02d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0b4e119528145bc1a3c9498e5914fecd83b92ef4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:40 +0000
Subject: [PATCH 047/375] Exported file: Azure Active Directory Hybrid Health
AD FS New Server.json.json
---
...ectory Hybrid Health AD FS New Server.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
new file mode 100644
index 00000000..29761afb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS New Server",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "88f453ff-7b9e-45bb-8c12-4058ca5e44ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From be215c9b8ff632474a73d6ba16eb17b62af5b06e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:41 +0000
Subject: [PATCH 048/375] Exported file: Azure Active Directory Hybrid Health
AD FS Service Delete.json.json
---
...ry Hybrid Health AD FS Service Delete.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
new file mode 100644
index 00000000..7426686e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771"
+ }
+ }
+ ]
+}
\ No newline at end of file
From abd5c17a115cf4d064980787f28b945d35be52e0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:42 +0000
Subject: [PATCH 049/375] Exported file: Azure Active Directory Hybrid Health
AD FS Suspicious Application.json.json
---
...d Health AD FS Suspicious Application.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
new file mode 100644
index 00000000..1fad03c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\nlet appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\nlet operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\nAzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue in~ (operationNamesList)\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| where AppId !in (appList)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Suspicious Application",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.",
+ "alertRuleTemplateName": "d9938c3b-16f9-444d-bc22-ea9a9110e0fd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1b59afad047e1701a497664c5b42ea6bc002eefd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:43 +0000
Subject: [PATCH 050/375] Exported file: Azure Active Directory PowerShell
accessing non-AAD resources.json.json
---
...owerShell accessing non-AAD resources.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
new file mode 100644
index 00000000..482dc022
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+ "enabled": false,
+ "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
+ "alertRuleTemplateName": "50574fac-f8d1-4395-81c7-78a463ff0c52"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71872db5c812e51db1095a9c9d4cfd6a9c7c95b9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:44 +0000
Subject: [PATCH 051/375] Exported file: Azure DevOps Administrator Group
Monitoring.json.json
---
...DevOps Administrator Group Monitoring.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
new file mode 100644
index 00000000..381cb64c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT4H",
+ "queryPeriod": "PT4H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// Change to true to monitor for Project Administrator adds to *any* project\nlet MonitorAllProjects = false;\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\nlet ProjectsToMonitor = dynamic(['','']);\nAzureDevOpsAuditing\n| where Area == \"Group\" and OperationName == \"Group.UpdateGroupMembership.Add\"\n| where Details has 'Administrators'\n| where Details has \"was added as a member of group\" and (Details endswith '\\\\Project Administrators' or Details endswith '\\\\Project Collection Administrators')\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\' GroupName\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Administrator Group Monitoring",
+ "enabled": false,
+ "description": "This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.",
+ "alertRuleTemplateName": "89e6adbd-612c-4fbe-bc3d-32f81baf3b6c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d16c2989b6eb82af6158451ff57c07aa71fcc7a8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:45 +0000
Subject: [PATCH 052/375] Exported file: Azure DevOps Agent Pool Created Then
Deleted.json.json
---
...evOps Agent Pool Created Then Deleted.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
new file mode 100644
index 00000000..7daf66d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let lookback = 14d;\nlet timewindow = 7d;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolCreated\"\n| extend AgentCloudId = tostring(Data.AgentCloudId)\n| extend PoolType = iif(isnotempty(AgentCloudId), \"Azure VMs\", \"Self Hosted\")\n// Comment this line out to include cloud pools as well\n| where PoolType == \"Self Hosted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend IsHosted = tostring(Data.IsHosted)\n| extend IsLegacy = tostring(Data.IsLegacy)\n| extend timekey = bin(TimeGenerated, timewindow)\n// Join only with pools deleted in the same window\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolDeleted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Agent Pool Created Then Deleted",
+ "enabled": false,
+ "description": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.",
+ "alertRuleTemplateName": "acfdee3f-b794-404a-aeba-ef6a1fa08ad1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 84126052f2054a5ccaac5abac6fb6a5966fc8f92 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:45 +0000
Subject: [PATCH 053/375] Exported file: Azure DevOps Audit Stream
Disabled.json.json
---
.../Azure DevOps Audit Stream Disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
new file mode 100644
index 00000000..cb3e0d9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"AuditLog.StreamDisabledByUser\"\n| extend StreamType = tostring(Data.ConsumerType)\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Audit Stream Disabled",
+ "enabled": false,
+ "description": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate.",
+ "alertRuleTemplateName": "4e8238bd-ff4f-4126-a9f6-09b3b6801b3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d745367aeb77791150eba91e11fa8d2ea69f9236 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:46 +0000
Subject: [PATCH 054/375] Exported file: Azure DevOps Build Variable Modified
by New User_.json.json
---
... Build Variable Modified by New User_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
new file mode 100644
index 00000000..75675e69
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/10254512-df08-4fea-8619-c505e87d377b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/10254512-df08-4fea-8619-c505e87d377b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet historical_data =\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend variables = Data.Variables\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| project UserKey;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| where UserKey !in (historical_data)\n| project-away UserKey\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Build Variable Modified by New User.",
+ "enabled": false,
+ "description": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \nmodifying them before.",
+ "alertRuleTemplateName": "3b9a44d7-c651-45ed-816c-eae583a6f2f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2eaa866d4444a47ddf5a39ab5067fd1d19cba53f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:47 +0000
Subject: [PATCH 055/375] Exported file: Azure DevOps New Extension
Added.json.json
---
.../Azure DevOps New Extension Added.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
new file mode 100644
index 00000000..3b224b1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let allowed_publishers = dynamic([]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Extension.Installed\"\n| extend ExtensionName = tostring(Data.ExtensionName)\n| extend PublisherName = tostring(Data.PublisherName)\n| where PublisherName !in (allowed_publishers)\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps New Extension Added",
+ "enabled": false,
+ "description": "Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \nThis query looks for new extensions that are not from a configurable list of approved publishers.",
+ "alertRuleTemplateName": "bf07ca9c-e408-443a-8939-6860a45a929e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 400bd0137191d7c58dc5c6f16e3cc2197ad1900b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:48 +0000
Subject: [PATCH 056/375] Exported file: Azure DevOps PAT used with
Browser_.json.json
---
.../Azure DevOps PAT used with Browser_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
new file mode 100644
index 00000000..f3e7ef1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\"\n// Look for useragents that include a redenring engine\n| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps PAT used with Browser.",
+ "enabled": false,
+ "description": "Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.",
+ "alertRuleTemplateName": "5f0d80db-3415-4265-9d52-8466b7372e3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 60bf8f6a2e90bdf3d38f9315c9a8e30372943857 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:48 +0000
Subject: [PATCH 057/375] Exported file: Azure DevOps Personal Access Token
(PAT) misuse.json.json
---
...ps Personal Access Token (PAT) misuse.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
new file mode 100644
index 00000000..e5f4bec3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n// Allowlisted UPNs should likely stay empty\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\n// Operation Name parts that will alert\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\n// Distinct Operation Names that will flag\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\nAzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\n and ActorUPN !in (AllowlistedUpns)\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Personal Access Token (PAT) misuse",
+ "enabled": false,
+ "description": "This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\nUse this query for baselining:\nAzureDevOpsAuditing\n| distinct OperationName",
+ "alertRuleTemplateName": "ac891683-53c3-4f86-86b4-c361708e2b2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b8f92ff5c927c2197c422f503312473fec76ca49 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:49 +0000
Subject: [PATCH 058/375] Exported file: Azure DevOps Pipeline Created and
Deleted on the Same Day.json.json
---
...e Created and Deleted on the Same Day.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
new file mode 100644
index 00000000..751b6ae4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P3D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 3d;\n// Get Release Pipeline Creation Events and group by day\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineCreated\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some columns to make output clearer\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineDeleted\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some things to make the output clearer\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline Created and Deleted on the Same Day",
+ "enabled": false,
+ "description": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.",
+ "alertRuleTemplateName": "17f23fbe-bb73-4324-8ecf-a18545a5dc26"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b54649c519b0c2b37c75a7585223fc5037fafe04 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:50 +0000
Subject: [PATCH 059/375] Exported file: Azure DevOps Pipeline modified by a
new user_.json.json
---
...vOps Pipeline modified by a new user_.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
new file mode 100644
index 00000000..9b968c7a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Set the lookback to determine if user has created pipelines before\nlet timeback = 14d;\n// Set the period for detections\nlet timeframe = 1d;\n// Get a list of previous Release Pipeline creators to exclude\nlet releaseusers = AzureDevOpsAuditing\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\n| where OperationName in (\"Release.ReleasePipelineCreated\", \"Release.ReleasePipelineModified\")\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| summarize by UserScope;\n// Get Release Pipeline creations by new users\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineModified\"\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| where UserScope !in (releaseusers)\n| extend ActorUPN = tolower(ActorUPN)\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\n| join kind = leftouter (\nSecurityAlert\n| where TimeGenerated > ago(timeframe)\n| where ProviderName == \"IPC\"\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\n// Uncomment the line below to only show results where the user as AADIdP alerts\n//| where Alerts > 0\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline modified by a new user.",
+ "enabled": false,
+ "description": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.",
+ "alertRuleTemplateName": "155e9134-d5ad-4a6f-88f3-99c220040b66"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b6923d7e427d299eea2ed6852d10b35e70fe901f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:51 +0000
Subject: [PATCH 060/375] Exported file: Azure DevOps Pull Request Policy
Bypassing - Historic allow list.json.json
---
...olicy Bypassing - Historic allow list.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
new file mode 100644
index 00000000..fa73bd4c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\nlet historicBypassers = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| parse ScopeDisplayName with OrganizationName '(Organization)'\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pull Request Policy Bypassing - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.",
+ "alertRuleTemplateName": "4d8de9e6-263e-4845-8618-cd23a4f58b70"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 96029b070681c80e3a77f0fd2449dcf099410b16 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:52 +0000
Subject: [PATCH 061/375] Exported file: Azure DevOps Retention
Reduced.json.json
---
.../Azure DevOps Retention Reduced.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
new file mode 100644
index 00000000..1567aab0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Pipelines.PipelineRetentionSettingChanged\"\n| where Data.SettingName in (\"PurgeArtifacts\", \"PurgeRuns\")\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Retention Reduced",
+ "enabled": false,
+ "description": "AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.",
+ "alertRuleTemplateName": "71d374e0-1cf8-4e50-aecd-ab6c519795c2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 854c873946a4a6afa28a9d34007cc521e3058093 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:52 +0000
Subject: [PATCH 062/375] Exported file: Azure DevOps Service Connection
Abuse.json.json
---
...Azure DevOps Service Connection Abuse.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
new file mode 100644
index 00000000..40ce7976
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// How many greater than Service Connections you want to view per build/release\nlet ServiceConnectionThreshold = 4;\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nAzureDevOpsAuditing\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\n| where CurrentCount > ServiceConnectionThreshold\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iif(\n Type == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Abuse",
+ "enabled": false,
+ "description": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \nor dump credentials from service connections.",
+ "alertRuleTemplateName": "d564ff12-8f53-41b8-8649-44f76b37b99f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77a6f6dccd4d8708b4d930de2248865e1b5f9124 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:53 +0000
Subject: [PATCH 063/375] Exported file: Azure DevOps Service Connection
Addition_Abuse - Historic allow list.json.json
---
... Addition_Abuse - Historic allow list.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
new file mode 100644
index 00000000..9bd1181b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 6h;\n// Ignore Build/Releases with less/equal this number\nlet ServiceConnectionThreshold = 3;\n// New Connections need to exhibit execution of more \"new\" connections than this number.\nlet NewConnectionThreshold = 1;\n// List of Builds/Releases to ignore in your space\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nlet HistoricDefs = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\n| where CurrentCount > ServiceConnectionThreshold\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iff(\nType == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Addition/Abuse - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.",
+ "alertRuleTemplateName": "5efb0cfd-063d-417a-803b-562eae5b0301"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 782477b8006efbd43f90d595f94a59d47ee803a6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:54 +0000
Subject: [PATCH 064/375] Exported file: Azure DevOps Variable Secret Not
Secured.json.json
---
...re DevOps Variable Secret Not Secured.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
new file mode 100644
index 00000000..dd7a369c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let keywords = dynamic([\"secret\", \"secrets\", \"password\", \"PAT\", \"passwd\", \"pswd\", \"pwd\", \"cred\", \"creds\", \"credentials\", \"credential\", \"key\"]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend Type = tostring(Data.Type)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| mv-expand Data.Variables\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\n| where Type != \"AzureKeyVault\"\n| where Data_Variables !has \"IsSecret\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Variable Secret Not Secured",
+ "enabled": false,
+ "description": "Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.",
+ "alertRuleTemplateName": "4ca74dc0-8352-4ac5-893c-73571cc78331"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 155c3d6508a0d794b446c190bace2246cef9c609 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:55 +0000
Subject: [PATCH 065/375] Exported file: Azure Key Vault access TimeSeries
anomaly.json.json
---
...e Key Vault access TimeSeries anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
new file mode 100644
index 00000000..e77da8f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\n) on Resource, TimeGenerated\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Key Vault access TimeSeries anomaly",
+ "enabled": false,
+ "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+ "alertRuleTemplateName": "0914adab-90b5-47a3-a79f-7cdcac843aa7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 10d7fa0e9b27a08a721158a96fadc0d2008a21f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:55 +0000
Subject: [PATCH 066/375] Exported file: Azure Portal Signin from another Azure
Tenant.json.json
---
...rtal Signin from another Azure Tenant.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
diff --git a/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
new file mode 100644
index 00000000..7904a727
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211129.json\"]\nwith(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes);\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where AppDisplayName =~ \"Azure Portal\"\n// Only get logons where the IP address is in an Azure range\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == TenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Portal Signin from another Azure Tenant",
+ "enabled": false,
+ "description": "This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
+ "alertRuleTemplateName": "87210ca1-49a4-4a7d-bb4a-4988752f978c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2e539048c6c5ca9448cc5aa377414971570892da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:56 +0000
Subject: [PATCH 067/375] Exported file: Azure VM Run Command operation
executed during suspicious login window.json.json
---
...ecuted during suspicious login window.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
new file mode 100644
index 00000000..49ff5bff
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n// Create a join key using the Caller (UPN)\n| extend joinkey = tolower(Caller)\n// Join the Run Command actions to UEBA data\n| join kind = inner (\n BehaviorAnalytics\n // We are specifically interested in unusual logins\n | where EventSource == \"Azure AD\" and ActivityInsights.ActionUncommonlyPerformedByUser == \"True\"\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\n | extend joinkey = tolower(UserPrincipalName)\n) on joinkey\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operation executed during suspicious login window",
+ "enabled": false,
+ "description": "Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \nthat has resulted in a recent user entity behaviour alert.",
+ "alertRuleTemplateName": "11bda520-a965-4654-9a45-d09f372f71aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2631e6272bcb28bc8cdeb004b859dfe23fa02695 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:57 +0000
Subject: [PATCH 068/375] Exported file: Azure VM Run Command operations
executing a unique powershell script.json.json
---
... executing a unique powershell script.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
new file mode 100644
index 00000000..62fc74a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let RunCommandData = materialize ( AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n| join kind=leftouter (\n DeviceFileEvents\n | where InitiatingProcessFileName == \"RunCommandExtension.exe\"\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\n) on VirtualMachineName\n// We need to filter by time sadly, this is the only way to link events\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\n| join kind=inner(\n DeviceEvents\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | where InitiatingProcessCommandLine has \"-File\"\n // Extract the script name based on the structure used by the RunCommand extension\n | extend PowershellFileName = extract(@\"\\-File\\s(script[0-9]{1,9}\\.ps1)\", 1, InitiatingProcessCommandLine)\n // Discard results that didn't successfully extract, these are not run command related\n | where isnotempty(PowershellFileName)\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\n | where PSCommand != PowershellFileName \n // Now we normalise the cmdlets, we're aiming to hash them to find scripts using rare combinations\n | extend PSCommand = toupper(PSCommand)\n | order by PSCommand asc\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\n) on $left.FileName == $right.PowershellFileName\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\n| order by StartTime asc \n// We generate the hash based on the cmdlets called and the size of the powershell script\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\nlet totals = toscalar (RunCommandData\n| summarize count());\nlet hashTotals = RunCommandData\n| summarize HashCount=count() by ScriptFingerprintHash;\nRunCommandData\n| join kind=leftouter (\nhashTotals\n) on ScriptFingerprintHash\n// Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\n// Where the hash was only ever seen once.\n| where HashCount == 1\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operations executing a unique powershell script",
+ "enabled": false,
+ "description": "Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\nin your environment.",
+ "alertRuleTemplateName": "5239248b-abfb-4c6a-8177-b104ade5db56"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98ba34a013be6bf9acb7caed0e6cf01b8c747711 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:58 +0000
Subject: [PATCH 069/375] Exported file: Azure WAF matching for Log4j
vuln(CVE-2021-44228).json.json
---
...tching for Log4j vuln(CVE-2021-44228).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
diff --git a/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
new file mode 100644
index 00000000..4e56f2fd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDiagnostics\n| where details_data_s has \"jndi:\"\n| parse details_data_s with * '${' MaliciousCommand '}' *\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)",
+ "enabled": false,
+ "description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/",
+ "alertRuleTemplateName": "2de8abd6-a613-450e-95ed-08e503369fb3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b0f95b177e813f47e5cf742508b88f313d3901c8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:58 +0000
Subject: [PATCH 070/375] Exported file: Base64 encoded Windows process
command-lines (Normalized Process Events).json.json
---
...and-lines (Normalized Process Events).json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
new file mode 100644
index 00000000..7ceaecf7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n | where isnotempty(Process)\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9c9acc8cae1d40e27314f0cf4d16e2a14ebd6641 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:15:59 +0000
Subject: [PATCH 071/375] Exported file: Base64 encoded Windows process
command-lines.json.json
---
...encoded Windows process command-lines.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
new file mode 100644
index 00000000..e07eee3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.",
+ "alertRuleTemplateName": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ee8c6129218d5e8ea41c22e1b84a0f5f7166eb92 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:00 +0000
Subject: [PATCH 072/375] Exported file: Brute Force Attack against GitHub
Account.json.json
---
...e Force Attack against GitHub Account.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
diff --git a/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
new file mode 100644
index 00000000..eebc9526
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\nlet GitHubFailedSSOLogins = (table(tableName) \n| where AppDisplayName == \"GitHub.com\" \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \n| join kind=innerunique ( \n GitHubFailedSSOLogins \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute Force Attack against GitHub Account",
+ "enabled": false,
+ "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
+ "alertRuleTemplateName": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9aeffa27dec7fd5b23f6130ef6505ec96feebfd2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:01 +0000
Subject: [PATCH 073/375] Exported file: Brute force attack against Azure
Portal.json.json
---
...ute force attack against Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
new file mode 100644
index 00000000..7c751939
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| where AppDisplayName has \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against Azure Portal",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "28b42356-45af-40a6-a0b4-a554cdfd5d8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c88739c794f0891e2ede0604e8743d2fd26e257f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:02 +0000
Subject: [PATCH 074/375] Exported file: Brute force attack against a Cloud
PC.json.json
---
...Brute force attack against a Cloud PC.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
new file mode 100644
index 00000000..0535916e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nSigninLogs\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| where AppDisplayName =~ \"Windows Sign In\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against a Cloud PC",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
+ "alertRuleTemplateName": "3fbc20a4-04c4-464e-8fcb-6667f53e4987"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 16acdf63f79b3097fc6102c51e6e12ad47a51c60 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:02 +0000
Subject: [PATCH 075/375] Exported file: Brute force attack against user
credentials (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
new file mode 100644
index 00000000..981a8c70
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nimAuthentication\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\n , FailureCount = countif(EventResult=='Failure')\n , SuccessCount = countif(EventResult=='Success') \n // might be improved by counting FailReason:Outdated as Success.\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a user highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bbd8371ba1bee5eb3a6cc58852c46a77188d85d5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:03 +0000
Subject: [PATCH 076/375] Exported file: Bulk Changes to Privileged Account
Permissions.json.json
---
...ges to Privileged Account Permissions.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
diff --git a/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
new file mode 100644
index 00000000..18bc8b11
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Bulk Changes to Privileged Account Permissions",
+ "enabled": false,
+ "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "218f60de-c269-457a-b882-9966632b9dc6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 829c2abb6687c9843b675d5b23f64342412229ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:04 +0000
Subject: [PATCH 077/375] Exported file: CAC Bugbash_ Valid Analytics Rule
2.json.json
---
.../CAC Bugbash_ Valid Analytics Rule 2.json | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
diff --git a/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
new file mode 100644
index 00000000..9a34a1d6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
@@ -0,0 +1,28 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "MicrosoftSecurityIncidentCreation",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "productFilter": "Microsoft 365 Insider Risk Management",
+ "severitiesFilter": null,
+ "displayNamesFilter": null,
+ "displayNamesExcludeFilter": null,
+ "displayName": "CAC Bugbash: Valid Analytics Rule 2",
+ "enabled": true,
+ "description": "Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef44a6bc1e91f0d9e3f38555e661855d1b7fecbd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:05 +0000
Subject: [PATCH 078/375] Exported file: Changes made to AWS CloudTrail
logs.json.json
---
.../Changes made to AWS CloudTrail logs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
diff --git a/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
new file mode 100644
index 00000000..9119d665
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"UpdateTrail\",\"DeleteTrail\",\"StopLogging\",\"DeleteFlowLogs\",\"DeleteEventBus\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Changes made to AWS CloudTrail logs",
+ "enabled": false,
+ "description": "Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ",
+ "alertRuleTemplateName": "610d3850-c26f-4f20-8d86-f10fdf2425f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0594a01be68af4ad5328ad7c5c76d9da6aa08441 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:06 +0000
Subject: [PATCH 079/375] Exported file: Changes to AWS Elastic Load Balancer
security groups.json.json
---
...Elastic Load Balancer security groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
new file mode 100644
index 00000000..2e040b09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Elastic Load Balancer security groups",
+ "enabled": false,
+ "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/.",
+ "alertRuleTemplateName": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 082297dd23bf9da650fb0ff4b8a3c6a53494f26c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:06 +0000
Subject: [PATCH 080/375] Exported file: Changes to AWS Security Group ingress
and egress settings.json.json
---
...ity Group ingress and egress settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
new file mode 100644
index 00000000..71c08bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Security Group ingress and egress settings",
+ "enabled": false,
+ "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.",
+ "alertRuleTemplateName": "4f19d4e3-ec5f-4abc-9e61-819eb131758c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b351bb1b64972c9c179fe4f87f63171c4dad80f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:07 +0000
Subject: [PATCH 081/375] Exported file: Changes to Amazon VPC
settings.json.json
---
.../Changes to Amazon VPC settings.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
new file mode 100644
index 00000000..087b4a2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation",
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Changes to Amazon VPC settings",
+ "enabled": false,
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "alertRuleTemplateName": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f3da054dd0a57e3299950fdd02cda2810c3a27e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:08 +0000
Subject: [PATCH 082/375] Exported file: Changes to internet facing AWS RDS
Database instances.json.json
---
...net facing AWS RDS Database instances.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
diff --git a/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
new file mode 100644
index 00000000..7abccb3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to internet facing AWS RDS Database instances",
+ "enabled": false,
+ "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "8c2ef238-67a0-497d-b1dd-5c8a0f533e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b19125ebc3de5557ff79ccb7e59214f2b67257f5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:09 +0000
Subject: [PATCH 083/375] Exported file: Chia_Crypto_Mining - Domain, Process,
Hash and IP IOCs - June 2021.json.json
---
...Process, Hash and IP IOCs - June 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
diff --git a/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
new file mode 100644
index 00000000..6fd88e78
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Chia crypto IOC detected', Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = 'Chia crypto IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlertDetail = 'Chia crypto IOC detected', FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
+ "alertRuleTemplateName": "595a10c9-91be-4abb-bbc7-ae9c57848bef"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e36449e1d6832dea4e6cac287c7e839c115309de Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:09 +0000
Subject: [PATCH 084/375] Exported file: Cisco - firewall block but success
logon to Azure AD.json.json
---
...l block but success logon to Azure AD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
new file mode 100644
index 00000000..49e0d333
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet aadFunc = (tableName:string){\nCommonSecurityLog\n| where DeviceVendor =~ \"Cisco\"\n| where DeviceAction =~ \"denied\"\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where SourceIPType == \"public\"\n| summarize count() by SourceIP\n| join (\n // Successful signins from IPs blocked by the firewall solution are suspect\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\n // as that supposes the password was sucessfully guessed.\n table(tableName)\n | where ResultType in (\"0\", \"50074\", \"50076\") \n) on $left.SourceIP == $right.IPAddress\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco - firewall block but success logon to Azure AD",
+ "enabled": false,
+ "description": "Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\nand could indicate credential compromise for the user account.",
+ "alertRuleTemplateName": "157c0cfc-d76d-463b-8755-c781608cdc1a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd1b850b2902e2bccd3a2e1fcd91da2693b8444b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:10 +0000
Subject: [PATCH 085/375] Exported file: Cisco ASA - average attack detection
rate increase.json.json
---
...verage attack detection rate increase.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
new file mode 100644
index 00000000..1a3d96bd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeframe = 1h;\nlet last1h = CommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlet prev6h = CommonSecurityLog \n| where TimeGenerated between (ago(6h) .. ago(1h))\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlast1h | join (\n prev6h \n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - average attack detection rate increase",
+ "enabled": false,
+ "description": "This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "79f29feb-6a9d-4cdf-baaa-2daf480a5da1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e692b982a3996af7ccdae4faa4927cf79804ac32 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:11 +0000
Subject: [PATCH 086/375] Exported file: Cisco ASA - threat detection message
fired.json.json
---
... ASA - threat detection message fired.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
new file mode 100644
index 00000000..be3f7747
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCommonSecurityLog \n| where isempty(CommunicationDirection) \n| where DeviceEventClassID in (\"733101\",\"733102\",\"733103\",\"733104\",\"733105\")\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - threat detection message fired",
+ "enabled": false,
+ "description": "Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "795edf2d-cf3e-45b5-8452-fe6c9e6a582e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5c4163b3021b36a2aad3b692f2f84721eeecd558 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:12 +0000
Subject: [PATCH 087/375] Exported file: Cisco Umbrella - Connection to
Unpopular Website Detected.json.json
---
...nection to Unpopular Website Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
new file mode 100644
index 00000000..ada78069
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
+ "enabled": false,
+ "description": "Detects first connection to an unpopular website (possible malicious payload delivery).",
+ "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd9d6e672e7a540a9b9e08737472571c6f8d9c42 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:12 +0000
Subject: [PATCH 088/375] Exported file: Cisco Umbrella - Connection to
non-corporate private network.json.json
---
...tion to non-corporate private network.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
new file mode 100644
index 00000000..a1810d0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to non-corporate private network",
+ "enabled": false,
+ "description": "IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.",
+ "alertRuleTemplateName": "c9b6d281-b96b-4763-b728-9a04b9fe1246"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f72b485b2aa2de45fe932980987d2441815c26d7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:13 +0000
Subject: [PATCH 089/375] Exported file: Cisco Umbrella - Crypto Miner
User-Agent Detected.json.json
---
...la - Crypto Miner User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
new file mode 100644
index 00000000..b77d766f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"XMRig\" or HttpUserAgentOriginal contains \"ccminer\"\n| extend Message = \"Crypto Miner User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Crypto Miner User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by crypto miners in proxy logs.",
+ "alertRuleTemplateName": "b619d1f1-7f39-4c7e-bf9e-afbb46457997"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2c9f6793627eb5bba62f04efb8e7031886225906 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:14 +0000
Subject: [PATCH 090/375] Exported file: Cisco Umbrella - Empty User Agent
Detected.json.json
---
... Umbrella - Empty User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
new file mode 100644
index 00000000..970fe218
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal == ''\n| extend Message = \"Empty User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Empty User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "2b328487-162d-4034-b472-59f1d53684a1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f35bb6505ba483ea5a791e63a9ed47548053d90 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:15 +0000
Subject: [PATCH 091/375] Exported file: Cisco Umbrella - Hack Tool User-Agent
Detected.json.json
---
...rella - Hack Tool User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
new file mode 100644
index 00000000..84affc5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nlet user_agents=dynamic([\n '(hydra)',\n ' arachni/',\n ' BFAC ',\n ' brutus ',\n ' cgichk ',\n 'core-project/1.0',\n ' crimscanner/',\n 'datacha0s',\n 'dirbuster',\n 'domino hunter',\n 'dotdotpwn',\n 'FHScan Core',\n 'floodgate',\n 'get-minimal',\n 'gootkit auto-rooter scanner',\n 'grendel-scan',\n ' inspath ',\n 'internet ninja',\n 'jaascois',\n ' zmeu ',\n 'masscan',\n ' metis ',\n 'morfeus fucking scanner',\n 'n-stealth',\n 'nsauditor',\n 'pmafind',\n 'security scan',\n 'springenwerk',\n 'teh forest lobster',\n 'toata dragostea',\n ' vega/',\n 'voideye',\n 'webshag',\n 'webvulnscan',\n ' whcc/',\n ' Havij',\n 'absinthe',\n 'bsqlbf',\n 'mysqloit',\n 'pangolin',\n 'sql power injector',\n 'sqlmap',\n 'sqlninja',\n 'uil2pn',\n 'ruler',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by known hack tools",
+ "alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2b739a166b5e88ecded1b998582c971f52576361 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:16 +0000
Subject: [PATCH 092/375] Exported file: Cisco Umbrella - Rare User Agent
Detected.json.json
---
...o Umbrella - Rare User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
new file mode 100644
index 00000000..d366425b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookBack = 14d;\nlet timeframe = 1d;\nlet user_agents_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\n| summarize count() by HttpUserAgentOriginal\n| summarize make_list(HttpUserAgentOriginal);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal !in (user_agents_list)\n| extend Message = \"Rare User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Rare User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "8c8de3fa-6425-4623-9cd9-45de1dd0569a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 27c43ef33c1af5d4f3af85dd645feb69a8061482 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:16 +0000
Subject: [PATCH 093/375] Exported file: Cisco Umbrella - Request Allowed to
harmful_malicious URI category.json.json
---
...wed to harmful_malicious URI category.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
new file mode 100644
index 00000000..e6d0a858
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n UrlCategory contains 'Adware' or\n UrlCategory contains 'Alcohol' or\n UrlCategory contains 'Illegal Downloads' or\n UrlCategory contains 'Drugs' or\n UrlCategory contains 'Child Abuse Content' or\n UrlCategory contains 'Hate/Discrimination' or\n UrlCategory contains 'Nudity' or\n UrlCategory contains 'Pornography' or\n UrlCategory contains 'Proxy/Anonymizer' or\n UrlCategory contains 'Sexuality' or\n UrlCategory contains 'Tasteless' or\n UrlCategory contains 'Terrorism' or\n UrlCategory contains 'Web Spam' or\n UrlCategory contains 'German Youth Protection' or\n UrlCategory contains 'Illegal Activities' or\n UrlCategory contains 'Lingerie/Bikini' or\n UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
+ "enabled": false,
+ "description": "It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..",
+ "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From af9858065daf251db18250817b819a034e295b7b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:17 +0000
Subject: [PATCH 094/375] Exported file: Cisco Umbrella - Request to
blocklisted file type.json.json
---
...la - Request to blocklisted file type.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
new file mode 100644
index 00000000..fd09a950
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request to blocklisted file type",
+ "enabled": false,
+ "description": "Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).",
+ "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1ab18956d0f402c92dc4a8d4f55bc52b5f06fbfe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:18 +0000
Subject: [PATCH 095/375] Exported file: Cisco Umbrella - URI contains IP
address.json.json
---
...co Umbrella - URI contains IP address.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
new file mode 100644
index 00000000..6dbbecf9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlOriginal matches regex @'\\Ahttp:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - URI contains IP address",
+ "enabled": false,
+ "description": "Malware can use IP address to communicate with C2.",
+ "alertRuleTemplateName": "ee1818ec-5f65-4991-b711-bcf2ab7e36c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4a8b0d634e77496f651b5644e7d69dd57c7210bf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:19 +0000
Subject: [PATCH 096/375] Exported file: Cisco Umbrella - Windows PowerShell
User-Agent Detected.json.json
---
...indows PowerShell User-Agent Detected.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
new file mode 100644
index 00000000..81fa4a71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"WindowsPowerShell\"\n| extend Message = \"Windows PowerShell User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Windows PowerShell User-Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "b12b3dab-d973-45af-b07e-e29bb34d8db9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b9625efa59fec859184a877179a7d8f6c9ef464a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:20 +0000
Subject: [PATCH 097/375] Exported file: ClientDeniedAccess.json.json
---
.../ClientDeniedAccess.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ClientDeniedAccess.json
diff --git a/SentinelExported-AnalyticsRule/ClientDeniedAccess.json b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
new file mode 100644
index 00000000..2f672e37
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ClientDeniedAccess",
+ "enabled": false,
+ "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
+ "alertRuleTemplateName": "a9956d3a-07a9-44a6-a279-081a85020cae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7ac48304d649b3e3771cd04174f6adb1500d6c45 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:20 +0000
Subject: [PATCH 098/375] Exported file: Cognni Incidents for Highly Sensitive
Business Information.json.json
---
...Highly Sensitive Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
new file mode 100644
index 00000000..517e9271
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Business Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "44e80f00-b4f5-486b-a57d-4073746276df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f110716a096f954ee0bb2c1dfc4cc519b2756869 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:21 +0000
Subject: [PATCH 099/375] Exported file: Cognni Incidents for Highly Sensitive
Financial Information.json.json
---
...ighly Sensitive Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
new file mode 100644
index 00000000..7fe66651
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "7ebb7386-6c99-4331-aab1-a185a603eb47"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0e5256c265648a49d48ebabed9d590b9a2f982a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:22 +0000
Subject: [PATCH 100/375] Exported file: Cognni Incidents for Highly Sensitive
Governance Information.json.json
---
...ghly Sensitive Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
new file mode 100644
index 00000000..aa613d21
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2926ce29-08d2-4654-b2e8-7d8df70095d9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1a7f01bcf79b2806980073060b7b81af5aca2f20 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:23 +0000
Subject: [PATCH 101/375] Exported file: Cognni Incidents for Highly Sensitive
HR Information.json.json
---
...s for Highly Sensitive HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
new file mode 100644
index 00000000..d1fe6ab3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive HR Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "f68846cf-ec99-497d-9ce1-80a9441564fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8292d8924b92d098ea190e23563ad36f319b46e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:24 +0000
Subject: [PATCH 102/375] Exported file: Cognni Incidents for Highly Sensitive
Legal Information.json.json
---
...or Highly Sensitive Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
new file mode 100644
index 00000000..a5f7c589
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "4f45f43b-3a4b-491b-9cbe-d649603384aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 157401e41395df004c095b352153079f137eaf11 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:25 +0000
Subject: [PATCH 103/375] Exported file: Cognni Incidents for Low Sensitivity
Business Information.json.json
---
... Low Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
new file mode 100644
index 00000000..88334c0e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity business information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "a0647a60-16f9-4175-b344-5cdd2934413f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b714119f0ce11d1a7281ae5eacb90e1f2a5d3f9b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:25 +0000
Subject: [PATCH 104/375] Exported file: Cognni Incidents for Low Sensitivity
Financial Information.json.json
---
...Low Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
new file mode 100644
index 00000000..fdb269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 08ef410e1ddc42aac9cd862c123dee8b3d4d4292 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:26 +0000
Subject: [PATCH 105/375] Exported file: Cognni Incidents for Low Sensitivity
Governance Information.json.json
---
...ow Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
new file mode 100644
index 00000000..d73c7c4e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity governance information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d2e40c79-fe8c-428e-8cb9-0e2282d4558c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0094509e1425fd3cc09b087677198b3564c99b26 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:27 +0000
Subject: [PATCH 106/375] Exported file: Cognni Incidents for Low Sensitivity
HR Information.json.json
---
...ts for Low Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
new file mode 100644
index 00000000..0eb51774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "ef8654b1-b2cf-4f6c-ae5c-eca635a764e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 35dbac98257bebbc2af434b2d3f55d1af51d086d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:28 +0000
Subject: [PATCH 107/375] Exported file: Cognni Incidents for Low Sensitivity
Legal Information.json.json
---
...for Low Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
new file mode 100644
index 00000000..afb2cb58
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "8374ec0f-d857-4c17-b1e7-93d11800f8fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5b0b1e2515b86abf98bdb50a9d3cbada20a2cd4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:28 +0000
Subject: [PATCH 108/375] Exported file: Cognni Incidents for Medium
Sensitivity Business Information.json.json
---
...dium Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
new file mode 100644
index 00000000..6f89ae17
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79061028-980a-4760-881b-52e79c1015c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79061028-980a-4760-881b-52e79c1015c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2c286288-3756-4824-b599-d3c499836c11"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 84b7a36b7fee1ef79e7cdb30861574df8b25c334 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:29 +0000
Subject: [PATCH 109/375] Exported file: Cognni Incidents for Medium
Sensitivity Financial Information.json.json
---
...ium Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
new file mode 100644
index 00000000..d4dd28c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0b3c2b5fea8be139d81e468a6eaa00e53f2874b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:30 +0000
Subject: [PATCH 110/375] Exported file: Cognni Incidents for Medium
Sensitivity Governance Information.json.json
---
...um Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
new file mode 100644
index 00000000..2d01b1d4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet goverence = 'Goverence Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == goverence\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "c1d4a005-e220-4d06-9e53-7326a22b8fe4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e17b86ebcf4c8aa3bbbf13f0c438d8f05a740f16 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:31 +0000
Subject: [PATCH 111/375] Exported file: Cognni Incidents for Medium
Sensitivity HR Information.json.json
---
...for Medium Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
new file mode 100644
index 00000000..d70dd2e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "75ff4f7d-0564-4a55-8b25-a75be951cde3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 90763760e3d609c2c11081f8473a59d6d45a47a7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:31 +0000
Subject: [PATCH 112/375] Exported file: Cognni Incidents for Medium
Sensitivity Legal Information.json.json
---
... Medium Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
new file mode 100644
index 00000000..18f5dc60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "db750607-d48f-4aef-b238-085f4a9882f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1d2669d43c6c1da26863dba406b7d47ba894796e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:32 +0000
Subject: [PATCH 113/375] Exported file: CoreBackUp Deletion in correlation
with other related security alerts.json.json
---
...on with other related security alerts.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
diff --git a/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
new file mode 100644
index 00000000..5c93e8a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityAlert\n| extend Extprop = parse_json(ExtendedProperties)\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\"Compromised Host\"]))), toupper(tostring(Extprop[\"Compromised Host\"])), tostring(parse_json(Entities)[0].HostName))\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\"User Name\"]))), tolower(tostring(Extprop[\"User Name\"])), tolower(tostring(Extprop[\"user name\"])))\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\"IpAddress\"]) \n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\n| join kind=inner\n(\nCoreAzureBackup\n| where State =~ \"Deleted\"\n| where OperationName =~ \"BackupItem\"\n| extend data = split(BackupItemUniqueId, \";\")\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\n)\non MachineName\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "CoreBackUp Deletion in correlation with other related security alerts",
+ "enabled": false,
+ "description": "This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.",
+ "alertRuleTemplateName": "011c84d8-85f0-4370-b864-24c13455aa94"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f1997984a1e0900c1d32445752d54eba7b2eb994 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:33 +0000
Subject: [PATCH 114/375] Exported file: Correlate Unfamiliar sign-in
properties and atypical travel alerts.json.json
---
...properties and atypical travel alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
diff --git a/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
new file mode 100644
index 00000000..bf47e8ba
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let Alert1 = \nSecurityAlert\n| where AlertName == \"Unfamiliar sign-in properties\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert1Time = TimeGenerated\n| extend Alert1 = AlertName\n| extend Alert1Severity = AlertSeverity\n;\nlet Alert2 = \nSecurityAlert\n| where AlertName == \"Atypical travel\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert2Time = TimeGenerated\n| extend Alert2 = AlertName\n| extend Alert2Severity = AlertSeverity\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\n;\nAlert1\n| join kind=inner Alert2 on UserPrincipalName\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\n| extend TimeDelta = Alert1Time - Alert2Time\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\n| extend AccountCustomEntity = UserPrincipalName\n| extend IPCustomEntity = CurrentIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Correlate Unfamiliar sign-in properties and atypical travel alerts",
+ "enabled": false,
+ "description": "The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.",
+ "alertRuleTemplateName": "a3df4a32-4805-4c6d-8699-f3c888af2f67"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 92f8bcc721444927fc3bfb8a75aba553a93e1b76 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:34 +0000
Subject: [PATCH 115/375] Exported file: Create Incident for XDR Alerts
(Critical & High).json.json
---
...dent for XDR Alerts (Critical & High).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
new file mode 100644
index 00000000..6e26ee7c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Critical & High)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical & High Serverity Alerts)",
+ "alertRuleTemplateName": "0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fa3ed62b2615cb418fbb4892dcd4b4b892d27311 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:35 +0000
Subject: [PATCH 116/375] Exported file: Create Incident for XDR Alerts (Medium
& Low).json.json
---
...ncident for XDR Alerts (Medium & Low).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
new file mode 100644
index 00000000..912fc84b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Medium & Low)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium & Low Serverity Alerts)",
+ "alertRuleTemplateName": "00282588-11e7-436d-90e8-011256c3c691"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ed83a371a7f5e157cdc650aa19b35d8dd7bcde83 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:35 +0000
Subject: [PATCH 117/375] Exported file: Creation of expensive computes in
Azure.json.json
---
...eation of expensive computes in Azure.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
new file mode 100644
index 00000000..f4c5db53
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Low",
+ "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Creation of expensive computes in Azure",
+ "enabled": false,
+ "description": "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions",
+ "alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd5421a6dabc9d3bf1a78db84b844b991bda586a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:36 +0000
Subject: [PATCH 118/375] Exported file: Credential added after admin consented
to Application.json.json
---
... after admin consented to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
diff --git a/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
new file mode 100644
index 00000000..c2f0b7c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetResourceType = tostring(target.type)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend isAdminConsent = targetModifiedProp[0].newValue\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\n| extend Consent_Permissions = targetModifiedProp[4].newValue\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\n| extend UpdatedProperties = targetModifiedProp[1].newValue\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent > TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Credential added after admin consented to Application",
+ "enabled": false,
+ "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
+ "alertRuleTemplateName": "707494a5-8e44-486b-90f8-155d1797a8eb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a1d2be3ddad25fdbc914fa896cf30159c3388b84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:37 +0000
Subject: [PATCH 119/375] Exported file: Critical Threat Detected.json.json
---
.../Critical Threat Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Critical Threat Detected.json
diff --git a/SentinelExported-AnalyticsRule/Critical Threat Detected.json b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
new file mode 100644
index 00000000..4a9bdb5e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Critical Threat Detected",
+ "enabled": false,
+ "description": "This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.",
+ "alertRuleTemplateName": "2ca4e7fc-c61a-49e5-9736-5da8035c47e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 10a38989e9b7a35695c274c5684d96e4a736ee9b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:38 +0000
Subject: [PATCH 120/375] Exported file: DEV-0322 Serv-U related IOCs - July
2021.json.json
---
...-0322 Serv-U related IOCs - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
new file mode 100644
index 00000000..ba92a046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet parentprocess = (iocs | where Type =~ \"parentprocess\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (IPList), \"RequestUrl\",\"NoMatch\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, IPMatch == \"RequestUrl\", RequestURL, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = 'Dev-0322 IOC match'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where SourceHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = 'Dev-0322 IOC match'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ParentImage = EventDetail.[20].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceProcessEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\n),\n( SecurityEvent\n| where EventID == 4688\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "DEV-0322 Serv-U related IOCs - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.",
+ "alertRuleTemplateName": "4759ddb4-2daf-43cb-b34e-d85b85b4e4a5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 027e6b71b670139e96131ac9b6c17e8e6580e869 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:38 +0000
Subject: [PATCH 121/375] Exported file: DNS events related to ToR proxies
(Normalized DNS).json.json
---
...lated to ToR proxies (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
new file mode 100644
index 00000000..c67b1c6b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let torProxies=dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nimDns(domain_has_any=torProxies)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "3fe3c520-04f1-44b8-8398-782ed21435f8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f6f13115e9142e5a62ce28a6b65ef7c9446d80e8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:39 +0000
Subject: [PATCH 122/375] Exported file: DNS events related to ToR
proxies.json.json
---
.../DNS events related to ToR proxies.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
new file mode 100644
index 00000000..dce92719
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.",
+ "alertRuleTemplateName": "a83ef0f4-dace-4767-bce3-ebd32599d2a0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 658b217d38ee176a7ccbfb9b33ddbb6495bd1912 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:40 +0000
Subject: [PATCH 123/375] Exported file: DNS events related to mining pools
(Normalized DNS).json.json
---
...ated to mining pools (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
new file mode 100644
index 00000000..e374d5a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let minersDomains=dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\"]);\nimDns(domain_has_any=minersDomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c094384d-7ea7-4091-83be-18706ecca981"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 55c25f685743ada637d7ab8f18e463ebd46124d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:41 +0000
Subject: [PATCH 124/375] Exported file: DNS events related to mining
pools.json.json
---
.../DNS events related to mining pools.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools.json b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
new file mode 100644
index 00000000..09a469a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.",
+ "alertRuleTemplateName": "0d76e9cf-788d-4a69-ac7d-f234826b5bed"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db4471c0402a129e2d6066ae718f4d8792a97866 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:42 +0000
Subject: [PATCH 125/375] Exported file: Detect PIM Alert Disabling
activity.json.json
---
.../Detect PIM Alert Disabling activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
diff --git a/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
new file mode 100644
index 00000000..9628cbd3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Detect PIM Alert Disabling activity",
+ "enabled": false,
+ "description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
+ "alertRuleTemplateName": "1f3b4dfd-21ff-4ed3-8e27-afc219e05c50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 27303138fe059fd1e4ad3c78569681bac994b3a9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:42 +0000
Subject: [PATCH 126/375] Exported file: Dev-0228 File Path Hashes November
2021 - ASIM.json.json
---
...File Path Hashes November 2021 - ASIM.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
new file mode 100644
index 00000000..46c7c8c6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nimFileEvent\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\n// Increase risk score if recent alerts for the host\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021 - ASIM",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization",
+ "alertRuleTemplateName": "29a29e5d-354e-4f5e-8321-8b39d25047bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 24178c3c94fb1137dd80132db0824913b8e4797f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:43 +0000
Subject: [PATCH 127/375] Exported file: Dev-0228 File Path Hashes November
2021.json.json
---
...v-0228 File Path Hashes November 2021.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
new file mode 100644
index 00000000..55d5f3f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nDeviceProcessEvents\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\n| extend DvcId = DeviceId\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.",
+ "alertRuleTemplateName": "3b443f22-9be9-4c35-ac70-a94757748439"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5a1cf3f78b948f218a14eba96e57f5b8a84a226d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:44 +0000
Subject: [PATCH 128/375] Exported file: Distributed Password cracking attempts
in AzureAD.json.json
---
...Password cracking attempts in AzureAD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
new file mode 100644
index 00000000..ce24093f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\n| distinct *\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Distributed Password cracking attempts in AzureAD",
+ "enabled": false,
+ "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.",
+ "alertRuleTemplateName": "bfb1c90f-8006-4325-98be-c7fffbc254d6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5cdcb2b4d17aa2550b52ee468ce00dda57e4b90 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:45 +0000
Subject: [PATCH 129/375] Exported file: Duplicate Rule DisplayName 1
(1).json.json
---
.../Duplicate Rule DisplayName 1 (1).json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
new file mode 100644
index 00000000..ff5257a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CampaignInfo",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 843135571eb46761c32fa39583304a62da20efd4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:46 +0000
Subject: [PATCH 130/375] Exported file: Duplicate Rule DisplayName 1.json.json
---
.../Duplicate Rule DisplayName 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
new file mode 100644
index 00000000..75316020
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "Duplicate Rule DisplayName 1",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From b9cc93c7e9e07af557c54978e7b1ae571453672d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:47 +0000
Subject: [PATCH 131/375] Exported file: Email access via active sync.json.json
---
.../Email access via active sync.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Email access via active sync.json
diff --git a/SentinelExported-AnalyticsRule/Email access via active sync.json b/SentinelExported-AnalyticsRule/Email access via active sync.json
new file mode 100644
index 00000000..2f367c0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Email access via active sync.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet cmdList = dynamic([\"Set-CASMailbox\",\"ActiveSyncAllowedDeviceIDs\",\"add\"]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessCommandLine has_all (cmdList)\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| extend Type = strcat(Type, \": \", Source)\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Email access via active sync",
+ "enabled": false,
+ "description": "This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\n- Note that this query can be changed to use the KQL \"has_all\" operator, which hasn't yet been documented officially, but will be soon.\n In short, \"has_all\" will only match when the referenced field has all strings in the list.\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps",
+ "alertRuleTemplateName": "2f561e20-d97b-4b13-b02d-18b34af6e87c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 47599595f259093d5595665aaa04d259c2f8a771 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:48 +0000
Subject: [PATCH 132/375] Exported file: Excessive Amount of Denied Connections
from a Single Source.json.json
---
...nied Connections from a Single Source.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
new file mode 100644
index 00000000..5a4748f5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5000;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\" and Status =~ \"Deny\"\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Amount of Denied Connections from a Single Source",
+ "enabled": false,
+ "description": "This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.",
+ "alertRuleTemplateName": "3d645a88-2724-41a7-adea-db74c439cf79"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 09dfb954a6506ad01b02f945f016988e24763762 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:49 +0000
Subject: [PATCH 133/375] Exported file: Excessive Denied Proxy
Traffic.json.json
---
.../Excessive Denied Proxy Traffic.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
new file mode 100644
index 00000000..7ff20617
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 100;\nSymantecProxySG \n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Denied Proxy Traffic",
+ "enabled": false,
+ "description": "This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.",
+ "alertRuleTemplateName": "7a58b253-0ef2-4248-b4e5-c350f15a8346"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d0bc1c81ebd5886437ac036040d1f6faf98d824b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:49 +0000
Subject: [PATCH 134/375] Exported file: Excessive Failed Authentication from
Invalid Inputs.json.json
---
...ed Authentication from Invalid Inputs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
new file mode 100644
index 00000000..d8b18864
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Failed Authentication from Invalid Inputs",
+ "enabled": false,
+ "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
+ "alertRuleTemplateName": "c775a46b-21b1-46d7-afa6-37e3e577a27b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b807536d56871c78ecdaa573888068efa6667486 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:50 +0000
Subject: [PATCH 135/375] Exported file: Excessive NXDOMAIN DNS Queries
(Normalized DNS).json.json
---
...NXDOMAIN DNS Queries (Normalized DNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
new file mode 100644
index 00000000..642acc92
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 200;\nimDns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (imDns(responsecodename='NXDOMAIN')\n ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries (Normalized DNS)",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b60346dcb4650d6fec561055190061733c6ff923 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:51 +0000
Subject: [PATCH 136/375] Exported file: Excessive NXDOMAIN DNS
Queries.json.json
---
.../Excessive NXDOMAIN DNS Queries.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
new file mode 100644
index 00000000..8a17da24
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 200;\nInfobloxNIOS\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n | where isnotempty(ResponseCode)\n | where ResponseCode =~ \"NXDOMAIN\"\n ) on Client_IP\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.",
+ "alertRuleTemplateName": "b8266f81-2715-41a6-9062-42486cbc9c73"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a5f64548b985f9a269046de3467486588cf2da1b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:52 +0000
Subject: [PATCH 137/375] Exported file: Excessive Windows logon
failures.json.json
---
.../Excessive Windows logon failures.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
new file mode 100644
index 00000000..9d2bb8c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 0.333;\nlet countlimit = 50;\nSecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4625 and AccountType =~ \"User\"\n| where IpAddress !in (\"127.0.0.1\", \"::1\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\n| join kind=leftouter (\n SecurityEvent \n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where EventID == 4625 and AccountType =~ \"User\"\n | where IpAddress !in (\"127.0.0.1\", \"::1\")\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| extend WorkstationName = iff(WorkstationName == \"-\" or isempty(WorkstationName), Computer , WorkstationName) \n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\n| order by sum_CountToday desc nulls last \n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Windows logon failures",
+ "enabled": false,
+ "description": "User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.",
+ "alertRuleTemplateName": "2391ce61-8c8d-41ac-9723-d945b2e90720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 146012420586489b9a08dfc50fba98cca9107b04 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:53 +0000
Subject: [PATCH 138/375] Exported file: Excessive number of failed connections
from a single source (ASIM Network Session schema).json.json
---
... source (ASIM Network Session schema).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
diff --git a/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
new file mode 100644
index 00000000..1471296f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 5000;\nimNetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
+ "enabled": false,
+ "description": "This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "4902eddb-34f7-44a8-ac94-8486366e9494"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 10972675846133a1d10e657286d5c0afa38c32ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:53 +0000
Subject: [PATCH 139/375] Exported file: Exchange AuditLog disabled.json.json
---
.../Exchange AuditLog disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
diff --git a/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
new file mode 100644
index 00000000..cfee7baa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where UserType in~ (\"Admin\",\"DcAdmin\") \n// Only admin or global-admin can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\" \n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Exchange AuditLog disabled",
+ "enabled": false,
+ "description": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt\nto evade detection or avoid other defenses.",
+ "alertRuleTemplateName": "194dd92e-d6e7-4249-85a5-273350a7f5ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bbec0b2c8d5d52c8b2abc4c062da589254d9164e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:54 +0000
Subject: [PATCH 140/375] Exported file: Exchange OAB Virtual Directory
Attribute Containing Potential Webshell.json.json
---
...tribute Containing Potential Webshell.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
diff --git a/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
new file mode 100644
index 00000000..0cb51c74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityEvent\n// Look for specific Directory Service Changes and parse data\n| where EventID == 5136\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion = array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\n// Where changes relate to Exchange OAB\n| extend ObjectClass = column_ifexists(\"ObjectClass\", \"\")\n| where ObjectClass =~ \"msExchOABVirtualDirectory\"\n// Look for InternalHostName or ExternalHostName properties being changed\n| extend AttributeLDAPDisplayName = column_ifexists(\"AttributeLDAPDisplayName\", \"\")\n| where AttributeLDAPDisplayName in (\"msExchExternalHostName\", \"msExchInternalHostName\")\n// Look for suspected webshell activity\n| extend AttributeValue = column_ifexists(\"AttributeValue\", \"\")\n| where AttributeValue has \"script\"\n| project-rename LastSeen = TimeGenerated\n| extend ObjectDN = column_ifexists(\"ObjectDN\", \"\")\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange OAB Virtual Directory Attribute Containing Potential Webshell",
+ "enabled": false,
+ "description": "This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns",
+ "alertRuleTemplateName": "faf1a6ff-53b5-4f92-8c55-4b20e9957594"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bf5b6862f17b26289e657c45deb34227645fe25e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:55 +0000
Subject: [PATCH 141/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection (1).json.json
---
...todiscover ProxyShell - Detection (1).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
new file mode 100644
index 00000000..f884c9ec
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b1fcb89b96ca5bf89ab864a884cff374cf33e85e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:56 +0000
Subject: [PATCH 142/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection.json.json
---
...F Autodiscover ProxyShell - Detection.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
new file mode 100644
index 00000000..54b461bc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "ResourceCustomEntity"
+ }
+ ]
+ }
+ ],
+ "templateVersion": "1.0.1",
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190"
+ ],
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": true,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4b9c0f117ef0b48ccb4e0989a723220a3e41282 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:57 +0000
Subject: [PATCH 143/375] Exported file: Exchange Server Vulnerabilities
Disclosed March 2021 IoC Match.json.json
---
...lities Disclosed March 2021 IoC Match.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
diff --git a/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
new file mode 100644
index 00000000..d1e23e0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(VMConnection\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\n| where SourceIp in (ips) or DestinationIp in (ips)\n| extend IPMatch = case( SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nDeviceNetworkEvents\n| where (RemoteIPType =~ \"Public\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\nDnsEvents\n| where SubType =~ \"LookupQuery\"\n| where Name has_any (domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n),\n(\nimDns(domain_has_any=domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
+ "enabled": false,
+ "description": "This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/",
+ "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 55a29ce6ba0bc1aa279e96efd76e9c3e19e6c7af Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:57 +0000
Subject: [PATCH 144/375] Exported file: Exchange workflow MailItemsAccessed
operation anomaly.json.json
---
...w MailItemsAccessed operation anomaly.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
new file mode 100644
index 00000000..1611fad8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, score;\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\n OfficeActivity\n | where TimeGenerated > ago(2d)\n | extend DateHour = bin(TimeGenerated, 1h)\n | where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\n | order by HourlyCount desc \n) on TimeGenerated\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\n| order by PercentofTotal desc \n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Exchange workflow MailItemsAccessed operation anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed",
+ "alertRuleTemplateName": "b4ceb583-4c44-4555-8ecf-39f572e827ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d847bd4a479531febf69c46d736ed561ca99a8f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:58 +0000
Subject: [PATCH 145/375] Exported file: Explicit MFA Deny.json.json
---
.../Explicit MFA Deny.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Explicit MFA Deny.json
diff --git a/SentinelExported-AnalyticsRule/Explicit MFA Deny.json b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
new file mode 100644
index 00000000..441d5de3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Explicit MFA Deny",
+ "enabled": false,
+ "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
+ "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e4794e9637034a66b55c5c09c3ca0c3474ebebfa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:59 +0000
Subject: [PATCH 146/375] Exported file: External Upstream Source Added to
Azure DevOps Feed.json.json
---
...eam Source Added to Azure DevOps Feed.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
diff --git a/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
new file mode 100644
index 00000000..7091dc03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\nlet allowed_sources = dynamic([\"NuGet Gallery\"]);\nlet allowed_locations = dynamic([\"https://api.nuget.org/v3/index.json\"]);\nAzureDevOpsAuditing\n// Look for feeds created or modified at either the organization or project level\n| where OperationName matches regex \"Artifacts.Feed.(Org|Project).Modify\"\n| where Details has \"UpstreamSources, added\"\n| extend FeedName = tostring(Data.FeedName)\n| extend FeedId = tostring(Data.FeedId)\n| extend UpstreamsAdded = Data.UpstreamsAdded\n// As multiple feeds may be added expand these out\n| mv-expand UpstreamsAdded\n// Only focus on external feeds\n| where UpstreamsAdded.UpstreamSourceType !~ \"internal\"\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\n| extend SourceName = tostring(UpstreamsAdded.Name)\n// Exclude sources and locations in the allow list\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "External Upstream Source Added to Azure DevOps Feed",
+ "enabled": false,
+ "description": "The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.",
+ "alertRuleTemplateName": "adc32a33-1cd6-46f5-8801-e3ed8337885f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bad93a2b97c57b7be5750a9eb6cdb3a32e57a6e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:16:59 +0000
Subject: [PATCH 147/375] Exported file: External User Access Enabled.json.json
---
.../External User Access Enabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External User Access Enabled.json
diff --git a/SentinelExported-AnalyticsRule/External User Access Enabled.json b/SentinelExported-AnalyticsRule/External User Access Enabled.json
new file mode 100644
index 00000000..1d8faa74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External User Access Enabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nZoomLogs \n| where Event =~ \"account.settings_updated\" \n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\") \n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\", \n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\", \n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\", \n EnforceLoginDomain == 'false', \"Enfored Domains Changed\", \n GuestAlerts == 'false', \"Guest Join Alerts Changed\", \n EnforceLogin == 'false', \"Enforced Logins Changed\", \n \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External User Access Enabled",
+ "enabled": false,
+ "description": "This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.",
+ "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f5e4b145b74a278ee012756ff4b1833172940b7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:00 +0000
Subject: [PATCH 148/375] Exported file: External guest invitations by default
guest followed by Azure AD powershell signin.json.json
---
...ollowed by Azure AD powershell signin.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
diff --git a/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
new file mode 100644
index 00000000..35faf84e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs \n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\",\"Invite external user with reset invitation status\")\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| where InitiatedByUser has_any (\"live.com#\", \"#EXT#\")\n| extend parsedUser = iff(InitiatedByUser has \"live.com#\", tostring(split(InitiatedByUser, \"#\")[1]),tostring(split(InitiatedByUser, \"#EXT#\")[1])) , InvitationTime = TimeGenerated\n| join ( \nSigninLogs \n| where UserType == \"Guest\" and AppDisplayName == \"Microsoft Azure PowerShell\"\n| extend SigninTime = TimeGenerated\n) on $left.parsedUser == $right.UserPrincipalName\n| project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName , IPAddress, UserType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess",
+ "Persistence",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "External guest invitations by default guest followed by Azure AD powershell signin",
+ "enabled": false,
+ "description": "By default guests have capability to invite more external guest user, who can do suspicious Azure AD enumeration. This detection will first look at guests \ninviting external guests users who are then logging via Azure AD powershell after accpeting invitation.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
+ "alertRuleTemplateName": "acc4c247-aaf7-494b-b5da-17f18863878a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4c44011edf777ddf22e821b765b5ce89b2a17a5d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:01 +0000
Subject: [PATCH 149/375] Exported file: External user added and removed in
short timeframe.json.json
---
... added and removed in short timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
diff --git a/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
new file mode 100644
index 00000000..faba53c0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n| join (\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberRemoved\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n) on UPN\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External user added and removed in short timeframe",
+ "enabled": false,
+ "description": "This detection flags the occurances of external user accounts that are added to a Team and then removed within\none hour.",
+ "alertRuleTemplateName": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4beac242e0673f9fb9c0cd3683ff119e7902f38c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:02 +0000
Subject: [PATCH 150/375] Exported file: Failed AWS Console logons but success
logon to AzureAD.json.json
---
...e logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
new file mode 100644
index 00000000..9181a3df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where EventName == \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize count() by SourceIpAddress\n| where count_ > signin_threshold\n| summarize make_list(SourceIpAddress);\n//See if any of those IPs have sucessfully logged into Azure AD.\nSigninLogs\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails) \n| extend Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AWS Console logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "910124df-913c-47e3-a7cd-29e1643fa55e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4ed4ae7418ff92a6b4e2fd7292556c2751c5ae54 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:03 +0000
Subject: [PATCH 151/375] Exported file: Failed AzureAD logons but success
logon to AWS Console, test-6_30_2022.json.json
---
... logon to AWS Console, test-6_30_2022.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
new file mode 100644
index 00000000..a21c7140
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit your environment\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold\nlet aadFunc = (tableName:string){\nlet Suspicious_signins = \ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in (\"127.0.0.1\", \"::1\")\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\nSuspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet Suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into the AWS console\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult =~ \"Success\"\n| where SourceIpAddress in (Suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to AWS Console, test-6/30/2022",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "643c2025-9604-47c5-833f-7b4b9378a1f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 545ddbba3ba86c9d9c51f9a65956f335324ca64d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:03 +0000
Subject: [PATCH 152/375] Exported file: Failed AzureAD logons but success
logon to host.json.json
---
...reAD logons but success logon to host.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
new file mode 100644
index 00000000..ea33b6f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit the environment\nlet signin_threshold = 5;\n//Make a list of all IPs with failed signins to AAD above our threshold\nlet aadFunc = (tableName:string){\nlet suspicious_signins =\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in ('127.0.0.1', '::1')\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\n//See if any of these IPs have sucessfully logged into *nix hosts\nlet linux_logons =\nSyslog\n| where Facility contains \"auth\" and ProcessName != \"sudo\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\n//See if any of these IPs have sucessfully logged into Windows hosts\nlet win_logons =\nSecurityEvent\n| where EventID == 4624\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| where IpAddress in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\nunion isfuzzy=true linux_logons,win_logons\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to host",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "8ee967a2-a645-4832-85f4-72b635bcb3a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 54b9a4232ba511d4c3ebd5a73146d6bd47472056 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:04 +0000
Subject: [PATCH 153/375] Exported file: Failed Logins from Unknown or Invalid
User.json.json
---
...d Logins from Unknown or Invalid User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
diff --git a/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
new file mode 100644
index 00000000..bb0c0a75
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed Logins from Unknown or Invalid User",
+ "enabled": false,
+ "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name",
+ "alertRuleTemplateName": "884be6e7-e568-418e-9c12-89229865ffde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ce15dc98a2cf64e62fe86aa7d8b8a40c64a220b7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:05 +0000
Subject: [PATCH 154/375] Exported file: Failed host logons but success logon
to AzureAD.json.json
---
...t logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
new file mode 100644
index 00000000..d6444aad
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed Windows host logins above threshold\nlet win_fails = \nSecurityEvent\n| where EventID == 4625\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| summarize count() by IpAddress\n| where count_ > signin_threshold\n| summarize make_list(IpAddress);\n//Make a list of IPs with failed *nix host logins above threshold\nlet nix_fails = \nSyslog\n| where Facility contains 'auth' and ProcessName != 'sudo'\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP != \"\" and SourceIP != \"127.0.0.1\"\n| summarize count() by SourceIP\n| where count_ > signin_threshold\n| summarize make_list(SourceIP);\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\n| extend Reason= \"Multiple failed host logins from IP address with successful Azure AD login\"\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed host logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "1ce5e766-26ab-4616-b7c8-3b33ae321e80"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 85cffcb29a995a4eccb077cd8a0dcaf01b5386a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:06 +0000
Subject: [PATCH 155/375] Exported file: Failed login attempts to Azure
Portal.json.json
---
...Failed login attempts to Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
new file mode 100644
index 00000000..8746e489
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins \n) on UserPrincipalName, Id\n| where TimeGenerated > TimeGenerated1\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup \n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed login attempts to Azure Portal",
+ "enabled": false,
+ "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+ "alertRuleTemplateName": "223db5c1-1bf8-47d8-8806-bed401b356a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c93543b38972dfc53c6be962b082effdbd047dc8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:07 +0000
Subject: [PATCH 156/375] Exported file: Failed logon attempts by valid
accounts within 10 mins.json.json
---
...mpts by valid accounts within 10 mins.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
new file mode 100644
index 00000000..51f35ef7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let threshold = 20;\nSecurityEvent \n| where EventID == 4625\n| where AccountType =~ \"User\"\n| where SubStatus !='0xc0000064' and Account !in ('\\\\', '-\\\\-')\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\n| extend ResourceId = column_ifexists(\"_ResourceId\", _ResourceId), SourceComputerId = column_ifexists(\"SourceComputerId\", SourceComputerId)\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\n| where FailedLogonCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts by valid accounts within 10 mins",
+ "enabled": false,
+ "description": "Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.",
+ "alertRuleTemplateName": "0777f138-e5d8-4eab-bec1-e11ddfbc2be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3263b16be95fada5a832a96926487c2c095d397e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:07 +0000
Subject: [PATCH 157/375] Exported file: Failed logon attempts in
authpriv.json.json
---
.../Failed logon attempts in authpriv.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
new file mode 100644
index 00000000..b0cdc9f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nlet authfail = Syslog\n| where Facility =~ \"authpriv\" // looks at authpriv messages\n| where SyslogMessage contains \"authentication failure\" and SyslogMessage contains \" uid=0\"\n| parse SyslogMessage with * \"rhost=\" ExternalIP\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \nlet userfail = Syslog \n| where Facility =~ \"authpriv\" \n| where SyslogMessage contains \"user unknown\"\n| project TimeGenerated, Computer, HostIP, ProcessID;\n// Join the two log messages above\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\n// Extract the EventTime of the first logon attempt\nlet firstfail = userauthfail\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\n// Extract the EventTime of the last logon attempt\nlet lastfail = userauthfail\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\n// Count the number of failed logon attempts by External IP and internal machine\nlet totalfails = userauthfail\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\n// Combine total attempts with timing data from above\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\n| order by DestinationHost asc nulls last;\nfinalfails \n| where TotalLogonAttempts >= threshold\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts in authpriv",
+ "enabled": false,
+ "description": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.",
+ "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4e0f9e021606d8ce6d9be656d5b9c5c3f0650797 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:08 +0000
Subject: [PATCH 158/375] Exported file: First access credential added to
Application or Service Principal where no credential was present.json.json
---
...cipal where no credential was present.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
diff --git a/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
new file mode 100644
index 00000000..b6d69ff1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set == \"[]\"\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "First access credential added to Application or Service Principal where no credential was present",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 37e2cb499411051bb68bd1fd943db95a95a3bc5c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:09 +0000
Subject: [PATCH 159/375] Exported file: Fortinet - Beacon pattern
detected.json.json
---
.../Fortinet - Beacon pattern detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
diff --git a/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
new file mode 100644
index 00000000..ec5ccc3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 1d;\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\nlet PrivateIPregex = @\"^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.\"; // exclude destinations that fall into this category\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where TimeGenerated > ago(starttime)\n// eliminate bad data\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \"0.0.0.0\"\n// filter out deny, close, rst and SNMP to reduce data volume\n| where DeviceAction !in (\"close\", \"client-rst\", \"server-rst\", \"deny\") and DestinationPort != 161\n// map input fields\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// where destination IPs are public\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n// sort into source->destination 'sessions'\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\n| serialize\n// time diff the contact times between source and destination to get a list of deltas\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\n| extend TimeDeltainSeconds = datetime_diff(\"second\",nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\n// remove small time deltas below the set threshold\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// summarize the deltas by source->destination\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\n// expand the deltas and the outliers\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\n// replace outliers with the average of the distribution\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\n// summarize with the smoothed distribution\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\n// get stats on the smoothed distribution\n| extend series_stats(list_TimeDeltainSeconds_normalized)\n// match jitter tolerance on smoothed distrib\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\n// where the minimum beacon threshold is satisfied and there was some data transfer\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\n// final projection\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Fortinet - Beacon pattern detected",
+ "enabled": false,
+ "description": "Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\n detection is set to 4.\n Increase the lookback period to capture beacons with larger periodicities.\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\n automatically using series_outliers.\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.",
+ "alertRuleTemplateName": "3255ec41-6bd6-4f35-84b1-c032b18bbfcb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a6b8f208f4b169f9cbe9ca066158f66a06c078b1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:10 +0000
Subject: [PATCH 160/375] Exported file: Full Admin policy created and then
attached to Roles, Users or Groups.json.json
---
...en attached to Roles, Users or Groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
diff --git a/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
new file mode 100644
index 00000000..daa33fc5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\nlet createPolicy = \"CreatePolicy\";\nlet timeframe = 1d;\nlet lookback = 14d;\n// Creating Master table with all the events to use with materialize for better performance\nlet EventInfo = AWSCloudTrail\n| where TimeGenerated >= ago(lookback)\n| where EventName in (EventNameList) or EventName == createPolicy;\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\nlet FullAdminPolicyEvents = materialize( EventInfo\n| where TimeGenerated >= ago(lookback)\n| where EventName == createPolicy\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n| mvexpand Statement\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\n| mvexpand Action\n| extend Action = tostring(Action)\n| where Effect =~ \"Allow\" and Action == \"*\" and Resource == \"*\"\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| project-rename StartTime = TimeGenerated );\nlet PolicyAttach = materialize( EventInfo\n| where TimeGenerated >= ago(timeframe)\n| where EventName in (EventNameList)\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\n| extend AttachEvent = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, \"UserIdentityType\", UserIdentityType, \"UserIdentityArn\", UserIdentityArn, \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\n);\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\nFullAdminPolicyEvents\n| join kind=leftouter\n(\n PolicyAttach\n)\non PolicyName\n| project-away PolicyName1\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Full Admin policy created and then attached to Roles, Users or Groups",
+ "enabled": false,
+ "description": "Identity and Access Management (IAM) securely manages access to AWS services and resources. \nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "826bb2f8-7894-4785-9a6b-a8a855d8366f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 35a8fd5ef8044a8c3dabac8599d94259e11a7652 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:10 +0000
Subject: [PATCH 161/375] Exported file: Gain Code Execution on ADFS Server via
Remote WMI Execution.json.json
---
... ADFS Server via Remote WMI Execution.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
new file mode 100644
index 00000000..533e89ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n| union isfuzzy=true (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n| distinct Computer);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| where CommandLine has_any ('rundll32') \n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 and LogonType == 3\n| where Account !endswith \"$\"\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n// Check for WMI Events\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| project TimeGenerated, EventType, Image, Computer, UserName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via Remote WMI Execution",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\n Failed to resolve scalar expression named \"[@Name]\"\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml",
+ "alertRuleTemplateName": "0bd65651-1404-438b-8f63-eecddcec87b4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b3b866d152350ee73448ed0b7e2222667a687de4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:11 +0000
Subject: [PATCH 162/375] Exported file: Gain Code Execution on ADFS Server via
SMB + Remote Service or Scheduled Task.json.json
---
...MB + Remote Service or Scheduled Task.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
new file mode 100644
index 00000000..dd9c9768
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where Account !endswith \"$\"\n// Check for scheduled task events\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\n| extend EventDataParsed = parse_xml(EventData)\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\"#text\"])\n// Check specifically for access to IPC$ share and PIPE\\svcctl and PIPE\\atsvc for Service Control Services and Schedule Control Services\n| union ( \n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n | where Account !endswith \"$\"\n | where EventID == 5145\n | where RelativeTargetName =~ \"svcctl\" or RelativeTargetName =~ \"atsvc\"\n)\n// Check for lateral movement\n| join kind=inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Account !endswith \"$\"\n| where EventID == 4624 and LogonType == 3\n) on $left.SubjectLogonId == $right.TargetLogonId\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.",
+ "alertRuleTemplateName": "12dcea64-bec2-41c9-9df2-9f28461b1295"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fc1ef7e6564a2016e518724182222d300d72d8f6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:12 +0000
Subject: [PATCH 163/375] Exported file: GitHub Activites from a New
Country.json.json
---
.../GitHub Activites from a New Country.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
new file mode 100644
index 00000000..39ec52a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAudit\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Activites from a New Country",
+ "enabled": false,
+ "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.",
+ "alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 41d48c366aa0026a9e17cdf7b1964d7bc274b4ad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:13 +0000
Subject: [PATCH 164/375] Exported file: GitHub Security Vulnerability in
Repository.json.json
---
... Security Vulnerability in Repository.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
new file mode 100644
index 00000000..f3242ab7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1e944163-f959-46f8-9760-95a54652437b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1e944163-f959-46f8-9760-95a54652437b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Informational",
+ "query": "\nGitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "GitHub Security Vulnerability in Repository",
+ "enabled": false,
+ "description": "This alerts when there is a new security vulnerability in a GitHub repository.",
+ "alertRuleTemplateName": "5436f471-b03d-41cb-b333-65891f887c43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bc20130bceeeba3db0bfc7ca897519331b69ef56 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:13 +0000
Subject: [PATCH 165/375] Exported file: GitHub Signin Burst from Multiple
Locations.json.json
---
... Signin Burst from Multiple Locations.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
new file mode 100644
index 00000000..2425d232
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName == \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > 1\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Signin Burst from Multiple Locations",
+ "enabled": false,
+ "description": "This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).",
+ "alertRuleTemplateName": "d3980830-dd9d-40a5-911f-76b44dfdce16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 542da202a63159d62ba6ccc78eb880339be44123 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:14 +0000
Subject: [PATCH 166/375] Exported file: GitHub Two Factor Auth
Disable.json.json
---
.../GitHub Two Factor Auth Disable.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
new file mode 100644
index 00000000..f8a9e188
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nGitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Two Factor Auth Disable",
+ "enabled": false,
+ "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ",
+ "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 95bbb4c085fb48b0a564a5896889ffdb8883fa8e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:15 +0000
Subject: [PATCH 167/375] Exported file: Group created then added to built in
domain local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
new file mode 100644
index 00000000..c85532e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet GroupAddition = SecurityEvent \n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group \n| where EventID in (\"4728\", \"4732\", \"4756\") \n| where AccountType =~ \"User\" and MemberName == \"-\"\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\nlet GroupCreated = SecurityEvent\n// 4727 - A security-enabled global group was created\n// 4731 - A security-enabled local group was created\n// 4754 - A security-enabled universal group was created\n| where EventID in (\"4727\", \"4731\", \"4754\")\n| where AccountType =~ \"User\"\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\nGroupCreated\n| join (\nGroupAddition\n) on GroupSid \n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Group created then added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.",
+ "alertRuleTemplateName": "a7564d76-ec6b-4519-a66b-fcc80c42332b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 531cc66b7bf07d733ae8848178537880603836ca Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:16 +0000
Subject: [PATCH 168/375] Exported file: HAFNIUM New UM Service Child
Process.json.json
---
.../HAFNIUM New UM Service Child Process.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
new file mode 100644
index 00000000..41dbee52
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM New UM Service Child Process",
+ "enabled": false,
+ "description": "This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d8f1c0df75b36d726bcc94ed05249ffc806d3ca7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:16 +0000
Subject: [PATCH 169/375] Exported file: HAFNIUM Suspicious Exchange
Request.json.json
---
.../HAFNIUM Suspicious Exchange Request.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
new file mode 100644
index 00000000..ada898a7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let exchange_servers = (\nW3CIISLog\n| where TimeGenerated > ago(14d)\n| where sSiteName =~ \"Exchange Back End\"\n| summarize by Computer);\nW3CIISLog\n| where TimeGenerated > ago(1d)\n| where Computer in (exchange_servers)\n| where csUriQuery startswith \"t=\"\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious Exchange Request",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "23005e87-2d3a-482b-b03d-edbebd1ae151"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9c78c9595344d1d7037f35b574223a3f459a79b1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:17 +0000
Subject: [PATCH 170/375] Exported file: HAFNIUM Suspicious File
Downloads_.json.json
---
.../HAFNIUM Suspicious File Downloads_.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
new file mode 100644
index 00000000..cbeb0997
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious File Downloads.",
+ "enabled": false,
+ "description": "This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "03e04c97-8cae-48b3-9d2f-4ab262e4ffff"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7d9ca82f03b043d69361a5617e6c89904dc0be7e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:18 +0000
Subject: [PATCH 171/375] Exported file: HAFNIUM Suspicious UM Service
Error.json.json
---
.../HAFNIUM Suspicious UM Service Error.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
new file mode 100644
index 00000000..e45f5345
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "Event\n| where EventLog =~ \"Application\"\n| where Source startswith \"MSExchange\"\n| where EventLevelName =~ \"error\"\n| where (RenderedDescription startswith \"Watson report\" and RenderedDescription contains \"umworkerprocess\" and RenderedDescription contains \"TextFormattingRunProperties\") or RenderedDescription startswith \"An unhandled exception occurred in a UM worker process\" or RenderedDescription startswith \"The Microsoft Exchange Unified Messaging service\" or RenderedDescription contains \"MSExchange Unified Messaging\"\n| where RenderedDescription !contains \"System.OutOfMemoryException\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious UM Service Error",
+ "enabled": false,
+ "description": "This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "0625fcce-6d52-491e-8c68-1d9b801d25b9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 838b89b76eda975542ef4aab67ed597573e02b9d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:19 +0000
Subject: [PATCH 172/375] Exported file: HAFNIUM UM Service writing suspicious
file.json.json
---
...UM UM Service writing suspicious file.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
new file mode 100644
index 00000000..c3bd2707
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM UM Service writing suspicious file",
+ "enabled": false,
+ "description": "This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d1572b751fe4f8f70fb2ccdce0463f3064cb7bd4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:20 +0000
Subject: [PATCH 173/375] Exported file: High Number of Urgent Vulnerabilities
Detected (1).json.json
---
...f Urgent Vulnerabilities Detected (1).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
new file mode 100644
index 00000000..500a2085
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| where Detections_s.Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "be52662c-3b23-435a-a6fa-f39bdfc849e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fffb628596487062474979c5fb388b983ac58ffe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:20 +0000
Subject: [PATCH 174/375] Exported file: High Number of Urgent Vulnerabilities
Detected.json.json
---
...er of Urgent Vulnerabilities Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
new file mode 100644
index 00000000..2cdfbc25
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "3edb7215-250b-40c0-8b46-79093949242d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 456dda3b8ffa9e2e2ec9402cbb1a7c7d5ec7bedc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:21 +0000
Subject: [PATCH 175/375] Exported file: High Urgency Cyberpion Action
Items.json.json
---
.../High Urgency Cyberpion Action Items.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
diff --git a/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
new file mode 100644
index 00000000..cd614521
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe)\n | summarize max(bin(TimeGenerated, time_generated_bucket))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Urgency Cyberpion Action Items",
+ "enabled": false,
+ "description": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
+ "alertRuleTemplateName": "8e0403b1-07f8-4865-b2e9-74d1e83200a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae005e053a9221ef3a22770c5565321aeaa599b4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:22 +0000
Subject: [PATCH 176/375] Exported file: High count of connections by client IP
on many ports.json.json
---
...onnections by client IP on many ports.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
diff --git a/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
new file mode 100644
index 00000000..be38502a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet portThreshold = 30;\nW3CIISLog\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of attempts by client IP on many ports\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| extend portCount = arraylength(set_sPort)\n| where portCount >= portThreshold\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\n| order by portCount\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of connections by client IP on many ports",
+ "enabled": false,
+ "description": "Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \nThis could also simply indicate a misconfigured service or device.\nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "44a555d8-ecee-4a25-95ce-055879b4b14b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a57e7f1807565938a02f9d2fdbd7fc65bda1549 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:23 +0000
Subject: [PATCH 177/375] Exported file: High count of failed attempts from
same client IP.json.json
---
...f failed attempts from same client IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
new file mode 100644
index 00000000..17f73e2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/837ae291-8946-4918-a036-a22f4da70456')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/837ae291-8946-4918-a036-a22f4da70456')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 1m;\nlet failedThreshold = 20;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed attempts from same client IP\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed attempts from same client IP",
+ "enabled": false,
+ "description": "Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \npotentially block these connections at the edge device.\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \nthat is associated with the client IP.\nReferences:\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "19e01883-15d8-4eb6-a7a5-3276cd668388"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 486b93ba6d08b8ac12393c18615c8978019c09e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:23 +0000
Subject: [PATCH 178/375] Exported file: High count of failed logons by a
user.json.json
---
...High count of failed logons by a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed logons by a user.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed logons by a user.json b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
new file mode 100644
index 00000000..83b847c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed logons by a user\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed logons by a user",
+ "enabled": false,
+ "description": "Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis could be indicative of attempted brute force based on known account information.\nThis could also simply indicate a misconfigured service or device. \nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "884c4957-70ea-4f57-80b9-1bca3890315b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a4b83a1e3706b9b1046cc650f0baf2160f86a524 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:24 +0000
Subject: [PATCH 179/375] Exported file: IP with multiple failed Azure AD
logins successfully logs in to Palo Alto VPN.json.json
---
...successfully logs in to Palo Alto VPN.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
diff --git a/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
new file mode 100644
index 00000000..04938243
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold.\nlet aadFunc = (tableName:string){\nlet suspicious_signins = \n table(tableName)\n //Looking for logon failure results\n | where ResultType !in (\"0\", \"50125\", \"50140\")\n //Exclude localhost addresses to reduce the chance of FPs\n | where IPAddress !in (\"127.0.0.1\", \"::1\")\n | summarize count() by IPAddress\n | where count_ > signin_threshold\n | summarize make_set(IPAddress);\n suspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\nCommonSecurityLog\n //Select only PA VPN sucessful logons\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"globalprotect\"\n | where Message has \"GlobalProtect gateway user authentication succeeded\"\n //Parse out the logon source IP from the Message field to match on\n | extend SourceIP = extract(\"Login from: ([^,]+)\", 1, Message) \n | where SourceIP in (suspicious_signins)\n | extend Reason = \"Multiple failed AAD logins from SourceIP\"\n //Parse out other useful information from Message field\n | extend User = extract('User name: ([^,]+)', 1, Message) \n | extend ClientOS = extract('Client OS version: ([^,\\\"]+)', 1, Message)\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN",
+ "enabled": false,
+ "description": "This query creates a list of IP addresses with a number failed login attempts to AAD \nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\nof these IPs within the same timeframe.",
+ "alertRuleTemplateName": "ba144bf8-75b8-406f-9420-ed74397f9479"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 32d07f35b729bde81c10531e3274c9eeadd16a96 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:25 +0000
Subject: [PATCH 180/375] Exported file: Known Barium IP.json.json
---
.../Known Barium IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium IP.json b/SentinelExported-AnalyticsRule/Known Barium IP.json
new file mode 100644
index 00000000..2834837f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer \n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer \n), \n(Event \n| where Source == \"Microsoft-Windows-Sysmon\" \n| where EventID == 3 \n| extend EvData = parse_xml(EventData) \n| extend EventDetail = EvData.DataItem.EventData.Data \n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"] \n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\") \n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n) \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium IP",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c6f6db93478a27546eb720d23878fc5d25f42bab Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:26 +0000
Subject: [PATCH 181/375] Exported file: Known Barium domains.json.json
---
.../Known Barium domains.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium domains.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium domains.json b/SentinelExported-AnalyticsRule/Known Barium domains.json
new file mode 100644
index 00000000..26b4f12c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium domains.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (DnsEvents \n | extend DNSName = Name \n | where isnotempty(DNSName) \n | where DNSName has_any (DomainNames) \n | extend IPAddress = ClientIP \n ), \n (imDns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (DomainNames) \n | extend DNSName = Request_Name\n | extend IPAddress = ClientIP \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPAddress = SourceHost\n ) \n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium domains",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 63c5c1c0b0af45f3a430cef6701a60c1adfc7cfe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:27 +0000
Subject: [PATCH 182/375] Exported file: Known CERIUM domains and
hashes.json.json
---
.../Known CERIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
new file mode 100644
index 00000000..6fdffb9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = ClientIP\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known CERIUM domains and hashes",
+ "enabled": false,
+ "description": "CERIUM malicious webserver and hash values for maldocs and malware. \n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.",
+ "alertRuleTemplateName": "c87fb346-ea3a-4c64-ba92-3dd383e0f0b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 93a4a1851c20e91c958d873abc0e27d6b07937b2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:27 +0000
Subject: [PATCH 183/375] Exported file: Known GALLIUM domains and
hashes.json.json
---
.../Known GALLIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
new file mode 100644
index 00000000..360e64e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n( imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA1=' SHA1 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| extend Account = UserName\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known GALLIUM domains and hashes",
+ "enabled": false,
+ "description": "GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ",
+ "alertRuleTemplateName": "26a3b261-b997-4374-94ea-6c37f67f4f39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f410c080e06f3ee6831e20ac7958329071f07f63 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:28 +0000
Subject: [PATCH 184/375] Exported file: Known IRIDIUM IP.json.json
---
.../Known IRIDIUM IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
diff --git a/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
new file mode 100644
index 00000000..ca0ee39c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known IRIDIUM IP",
+ "enabled": false,
+ "description": "IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.",
+ "alertRuleTemplateName": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a65e3a35f5a871249458ab4e467086e1c63cf63e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:29 +0000
Subject: [PATCH 185/375] Exported file: Known Malware Detected.json.json
---
.../Known Malware Detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Malware Detected.json
diff --git a/SentinelExported-AnalyticsRule/Known Malware Detected.json b/SentinelExported-AnalyticsRule/Known Malware Detected.json
new file mode 100644
index 00000000..4ab955a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Malware Detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known Malware Detected",
+ "enabled": false,
+ "description": "This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.",
+ "alertRuleTemplateName": "9f86885f-f31f-4e66-a39d-352771ee789e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a9d958f527fde1799d70c82694b47e49181c025 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:30 +0000
Subject: [PATCH 186/375] Exported file: Known Manganese IP and UserAgent
activity.json.json
---
...n Manganese IP and UserAgent activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
diff --git a/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
new file mode 100644
index 00000000..74a8e5d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Known Manganese IP and UserAgent activity",
+ "enabled": false,
+ "description": "Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\nReferences: \nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\nhttps://fortiguard.com/psirt/FG-IR-18-384",
+ "alertRuleTemplateName": "a04cf847-a832-4c60-b687-b0b6147da219"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 29cd85ee06aa68ee0bb03c7eb7f18a5b080b2acf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:30 +0000
Subject: [PATCH 187/375] Exported file: Known NICKEL domains and
hashes.json.json
---
.../Known NICKEL domains and hashes.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
new file mode 100644
index 00000000..9ebf81c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known NICKEL domains and hashes",
+ "enabled": false,
+ "description": "IOC domains and hash values for tools and malware used by NICKEL. \n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.",
+ "alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a600ee71c37b25f2de2619c12f367ee0185ec9aa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:31 +0000
Subject: [PATCH 188/375] Exported file: Known PHOSPHORUS group domains_IP -
October 2020.json.json
---
...HORUS group domains_IP - October 2020.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
diff --git a/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
new file mode 100644
index 00000000..9e2d991a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known PHOSPHORUS group domains/IP - October 2020",
+ "enabled": false,
+ "description": "Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: ",
+ "alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1e95d727c6989aa3de244fe72ed791eeb7288019 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:32 +0000
Subject: [PATCH 189/375] Exported file: Known Phosphorus group
domains_IP.json.json
---
.../Known Phosphorus group domains_IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
new file mode 100644
index 00000000..ac14a690
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\", \n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(imDns\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPCustomEntity = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Phosphorus group domains/IP",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.",
+ "alertRuleTemplateName": "155f40c6-610d-497d-85fc-3cf06ec13256"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 08b976d30132482780eb0fc8632cdd375053c141 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:33 +0000
Subject: [PATCH 190/375] Exported file: Known STRONTIUM group domains - July
2019.json.json
---
...n STRONTIUM group domains - July 2019.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
diff --git a/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
new file mode 100644
index 00000000..8400e3be
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"irf.services\",\"microsoft-onthehub.com\",\"msofficelab.com\",\"com-mailbox.com\",\"my-sharefile.com\",\"my-sharepoints.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\n\"onedrive-sharedfile.com\",\"onedrv-live.com\",\"transparencyinternational-my-sharepoint.com\",\"transparencyinternational-my-sharepoints.com\",\"soros-my-sharepoint.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\n(DnsEvents \n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\n(imDns (domain_has_any=DomainNames)\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPAddress = RemoteIp, Host = Computer),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost)\n)\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known STRONTIUM group domains - July 2019",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.",
+ "alertRuleTemplateName": "074ce265-f684-41cd-af07-613c5f3e6d0d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1968818f07758dde34505abd09a61549646b7195 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:33 +0000
Subject: [PATCH 191/375] Exported file: Known ZINC Comebacker and Klackring
malware hashes.json.json
---
...mebacker and Klackring malware hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
new file mode 100644
index 00000000..e47bd107
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(DnsEvents\n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend Type = \"DnsEvents\", IPAddress = ClientIP\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC Comebacker and Klackring malware hashes",
+ "enabled": false,
+ "description": "ZINC attacks against security researcher campaign malware hashes.",
+ "alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f3e8ff4862afb26f2ee18f648b05d7335185e2fc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:34 +0000
Subject: [PATCH 192/375] Exported file: Known ZINC related maldoc
hash.json.json
---
.../Known ZINC related maldoc hash.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
new file mode 100644
index 00000000..c3947948
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC related maldoc hash",
+ "enabled": false,
+ "description": "Document hash used by ZINC in highly targeted spear phishing campaign.",
+ "alertRuleTemplateName": "3174a9ec-d0ad-4152-8307-94ed04fa450a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c8f97f38b67805d1a25d7baca09b040bfc69374e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:35 +0000
Subject: [PATCH 193/375] Exported file: Linked Malicious Storage
Artifacts.json.json
---
.../Linked Malicious Storage Artifacts.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
diff --git a/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
new file mode 100644
index 00000000..ee6c08b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Collect the alert events\nlet alertData = SecurityAlert \n| where DisplayName has \"Potential malware uploaded to\" \n| extend Entities = parse_json(Entities) \n| mv-expand Entities;\n//Parse the IP address data\nlet ipData = alertData \n| where Entities['Type'] =~ \"ip\" \n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\n//Parse the file data\nlet FileData = alertData \n| where Entities['Type'] =~ \"file\" \n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\n//Combine the File and IP data together\nipData \n| join (FileData) on VendorOriginalId \n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\n//Create a type column so we can track if it was a File storage or blobl storage upload \n| extend type = iff(DisplayName has \"file\", \"File\", \"Blob\") \n| join (\n union\n StorageFileLogs, \n StorageBlobLogs \n //File upload operations \n | where OperationName =~ \"PutBlob\" or OperationName =~ \"PutRange\"\n //Parse out the uploader IP \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0])\n //Extract the filename from the Uri \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri)\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\n //We can work around this by making it an array then converting it to hex from an int \n | extend base64Char = base64_decode_toarray(ResponseMd5) \n | mv-expand base64Char \n | extend hexChar = tohex(toint(base64Char))\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\"0\", hexChar), hexChar) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \n | extend Md5Hash = strcat_array(list_hexChar, \"\")\n //Pack the file information the summarise into a ClientIP row \n | extend p = pack(\"FileName\", FileName, \"FileSize\", RequestBodySize, \"Md5Hash\", Md5Hash, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \n | join kind=leftouter (\n union\n StorageFileLogs,\n StorageBlobLogs \n | where OperationName =~ \"DeleteFile\" or OperationName =~ \"DeleteBlob\" \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0]) \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | extend p = pack(\"FileName\", FileName, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\n ) on ClientIP\n ) on $left.AttackerIP == $right.ClientIP \n| mvexpand UploadedFileInfo \n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \"MD5\", IPCustomEntity = AttackerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Linked Malicious Storage Artifacts",
+ "enabled": false,
+ "description": "An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.",
+ "alertRuleTemplateName": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5a673c9860de1eb6b474c67bf097259bddc9319 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:35 +0000
Subject: [PATCH 194/375] Exported file: Log4j vulnerability exploit aka
Log4Shell IP IOC.json.json
---
...rability exploit aka Log4Shell IP IOC.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
diff --git a/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
new file mode 100644
index 00000000..d3dd465c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"No Match\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch, LogType = Type \n| extend timestamp = StartTime, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"No Match\")\n),\n(OfficeActivity \n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account, LogType = Type\n),\n(DnsEvents\n| where IPAddresses has_any (IPList)\n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imNetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr, LogType = Type\n),\n (VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer, LogType = Type\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"), LogType = Type\n),\n(WireData\n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, LogType = Type\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, LogType = Type\n),\n(AzureActivity\n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, LogType = Type\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, LogType = Type\n), \n( \nDeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"java.exe\" and ProcessCommandLine has_all ('curl -s','wget') or\nProcessCommandLine has_all ('curl',@'${jndi') or \nProcessCommandLine has_any (\"${jndi:ldap://\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop://\",\"${jndi:\",'${web:','${jvmrunargs:')\n| extend LogType = Type\n),\n(\nDeviceNetworkEvents\n| where RemoteIP in(IPList) and ActionType != \"ConnectionFailed\"\n| extend LogType = Type\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Log4j vulnerability exploit aka Log4Shell IP IOC",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228",
+ "alertRuleTemplateName": "6e575295-a7e6-464c-8192-3e1d8fd6a990"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4a216049bc8f8c5920a1b1c0b1ac0db7c3f3cce5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:36 +0000
Subject: [PATCH 195/375] Exported file: Login to AWS Management Console
without MFA.json.json
---
...to AWS Management Console without MFA.json | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
diff --git a/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
new file mode 100644
index 00000000..cde09b40
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation",
+ "Persistence",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Login to AWS Management Console without MFA",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "alertRuleTemplateName": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2f4023cbea4687076fb241918ef4beaf58d2cce0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:37 +0000
Subject: [PATCH 196/375] Exported file: MFA Rejected by User.json.json
---
.../MFA Rejected by User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA Rejected by User.json
diff --git a/SentinelExported-AnalyticsRule/MFA Rejected by User.json b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
new file mode 100644
index 00000000..bd685e97
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\"\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA Rejected by User",
+ "enabled": false,
+ "description": "Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "d99cf5c3-d660-436c-895b-8a8f8448da23"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 57faab0da4e5e326efd8dc97e10bc7859570fdbf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:38 +0000
Subject: [PATCH 197/375] Exported file: MFA disabled for a user.json.json
---
.../MFA disabled for a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA disabled for a user.json
diff --git a/SentinelExported-AnalyticsRule/MFA disabled for a user.json b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
new file mode 100644
index 00000000..32292735
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(AuditLogs \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA disabled for a user",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ",
+ "alertRuleTemplateName": "65c78944-930b-4cae-bd79-c3664ae30ba7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef7432e55cb5b9a31a56aff5845f5260fd47a024 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:39 +0000
Subject: [PATCH 198/375] Exported file: MSHTML vulnerability CVE-2021-40444
attack.json.json
---
...L vulnerability CVE-2021-40444 attack.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
diff --git a/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
new file mode 100644
index 00000000..d7624dab
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "MSHTML vulnerability CVE-2021-40444 attack",
+ "enabled": false,
+ "description": "This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \".cpl:../../msword.inf\"\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
+ "alertRuleTemplateName": "972c89fa-c969-4d12-932f-04d55d145299"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7ecc095e989913d1b2e12aff1efb17d522d1c2ef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:39 +0000
Subject: [PATCH 199/375] Exported file: Mail redirect via ExO transport
rule.json.json
---
.../Mail redirect via ExO transport rule.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
diff --git a/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
new file mode 100644
index 00000000..1da049e2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName = case(\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\n \"Unknown\"\n ) \n| mvexpand p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly = case( \n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), \n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), \n ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\n ClientIP\n ) \n| extend Port = case(\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n ClientIP\n )\n| extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Mail redirect via ExO transport rule",
+ "enabled": false,
+ "description": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.",
+ "alertRuleTemplateName": "500415fb-bba7-4227-a08a-9857fb61b6a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 56654f125003f633f6d0fce9fe876c3566c41c5c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:40 +0000
Subject: [PATCH 200/375] Exported file: Mail.Read Permissions Granted to
Application.json.json
---
...ad Permissions Granted to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
diff --git a/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
new file mode 100644
index 00000000..44975a82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nAuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| project-away props\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | extend AppName = tostring(TargetResources[0].displayName)\n | extend AppId = tostring(TargetResources[0].id)\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Mail.Read Permissions Granted to Application",
+ "enabled": false,
+ "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
+ "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 84bb192119ec7f480659b08798b641aa3aa30775 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:41 +0000
Subject: [PATCH 201/375] Exported file: Malformed user agent.json.json
---
.../Malformed user agent.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malformed user agent.json
diff --git a/SentinelExported-AnalyticsRule/Malformed user agent.json b/SentinelExported-AnalyticsRule/Malformed user agent.json
new file mode 100644
index 00000000..085e69a9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malformed user agent.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(OfficeActivity | where UserAgent != \"\"),\n(OfficeActivity\n| where RecordType in (\"AzureActiveDirectory\", \"AzureActiveDirectoryStsLogon\")\n| extend OperationName = Operation\n| parse ExtendedProperties with * 'User-Agent\\\\\":\\\\\"' UserAgent2 '\\\\' *\n| parse ExtendedProperties with * 'UserAgent\", \"Value\": \"' UserAgent1 '\"' *\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(AzureDiagnostics\n| where ResourceType =~ \"APPLICATIONGATEWAYS\" \n| where OperationName =~ \"ApplicationGatewayAccess\" \n| extend ClientIP = columnifexists(\"clientIP_s\", \"None\"), UserAgent = columnifexists(\"userAgent_s\", \"None\")\n| where UserAgent != '-'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\n),\n(\nW3CIISLog\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n),\n(SigninLogs\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n)\n)\n// Likely artefact of hardcoding\n| where UserAgent startswith \"User\" or UserAgent startswith '\\\"'\n// Incorrect casing\nor (UserAgent startswith \"Mozilla\" and not(UserAgent containscs \"Mozilla\"))\n// Incorrect casing\nor UserAgent containscs \"(Compatible;\"\n// Missing MSIE version\nor UserAgent matches regex @\"MSIE\\s?;\"\n// Incorrect spacing around MSIE version\nor UserAgent matches regex @\"MSIE(?:\\d|.{1,5}?\\d\\s;)\"\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Malformed user agent",
+ "enabled": false,
+ "description": "Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\nMalformed user agents can be an indication of such malware.",
+ "alertRuleTemplateName": "a357535e-f722-4afe-b375-cff362b2b376"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f18f67c3fc0c9ffe7fda53dabc443dfcfed84d39 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:42 +0000
Subject: [PATCH 202/375] Exported file: Malicious Inbox Rule.json.json
---
.../Malicious Inbox Rule.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
diff --git a/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
new file mode 100644
index 00000000..42b68850
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\nOfficeActivity\n| where Operation =~ \"New-InboxRule\"\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has \"DeleteMessage\"\n| extend Events=todynamic(Parameters)\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\n| where SubjectContainsWords has_any (Keywords)\n or BodyContainsWords has_any (Keywords)\n or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malicious Inbox Rule",
+ "enabled": false,
+ "description": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/",
+ "alertRuleTemplateName": "7b907bf7-77d4-41d0-a208-5643ff75bf9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cfd68e862fa195a36e5304a550bd96f0fc13a0c6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:43 +0000
Subject: [PATCH 203/375] Exported file: Malicious web application requests
linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
alerts.json.json
---
...rmerly Microsoft Defender ATP) alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
diff --git a/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
new file mode 100644
index 00000000..bbd554cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]); \nlet alertData = materialize(SecurityAlert \n| where TimeGenerated > ago(alertTimeWindow) \n| where ProviderName == \"MDATP\" \n// Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) \n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\" \n| where alertData.Name has_any(scriptExtensions) \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId \n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join ( \n// Find requests that were made to this file on the impacted server in the W3CIISLog table \nW3CIISLog \n| where TimeGenerated > ago(logTimeWindow) \n// Restrict to accesses to script extensions \n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n// Expose the attacker ip address as a custom entity\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts",
+ "enabled": false,
+ "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.",
+ "alertRuleTemplateName": "fbfbf530-506b-49a4-81ad-4030885a195c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 08fd9565e5582656b4f16aef826ebe970ca262fc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:43 +0000
Subject: [PATCH 204/375] Exported file: Malware in the recycle bin (Normalized
Process Events).json.json
---
...cycle bin (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
new file mode 100644
index 00000000..95da1d03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]); \nimProcessCreate\n| where CommandLine has \"recycler\"\n| where Process has_any (procList)\n| extend FileName = tostring(split(Process, '\\\\')[-1])\n| where FileName in~ (procList)\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "61988db3-0565-49b5-b8e3-747195baac6e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d820bb2883e201bec5fdc72ae0e1db0c91edbcb9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:44 +0000
Subject: [PATCH 205/375] Exported file: Malware in the recycle bin.json.json
---
.../Malware in the recycle bin.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin.json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin.json b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
new file mode 100644
index 00000000..89fa2d07
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.",
+ "alertRuleTemplateName": "75bf9902-0789-47c1-a5d8-f57046aa72df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a6363dab7a3d13af137e9eab033965d8cb5ae754 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:45 +0000
Subject: [PATCH 206/375] Exported file: Mass secret retrieval from Azure Key
Vault.json.json
---
...secret retrieval from Azure Key Vault.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
diff --git a/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
new file mode 100644
index 00000000..830e90fb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventCountThreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList) \n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\n| where count_ > EventCountThreshold \n| join (\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where OperationName in~ (OperationList) \n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Mass secret retrieval from Azure Key Vault",
+ "enabled": false,
+ "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+ "alertRuleTemplateName": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e23bdae2fda54e8c0701e6b28d72eeb3a3b53540 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:46 +0000
Subject: [PATCH 207/375] Exported file: Microsoft COVID-19 file hash indicator
matches.json.json
---
... COVID-19 file hash indicator matches.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
diff --git a/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
new file mode 100644
index 00000000..da0a76f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Microsoft COVID-19 file hash indicator matches",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/",
+ "alertRuleTemplateName": "2be4ef67-a93f-4d8a-981a-88158cb73abd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From baabb4d7993fcba4dff1e6d33985a1311da03eb3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:46 +0000
Subject: [PATCH 208/375] Exported file: Modified domain federation trust
settings.json.json
---
...fied domain federation trust settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
diff --git a/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
new file mode 100644
index 00000000..bc30cc1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n| mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where NewDomainValue has \"Federated\"\n)\n)\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Modified domain federation trust settings",
+ "enabled": false,
+ "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3fe569f246717c0b34c8fe8b3f86f43fb6222a2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:47 +0000
Subject: [PATCH 209/375] Exported file: Monitor AWS Credential abuse or
hijacking.json.json
---
...tor AWS Credential abuse or hijacking.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
diff --git a/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
new file mode 100644
index 00000000..3a788cd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"GetCallerIdentity\" and UserIdentityType =~ \"AssumedRole\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n| sort by EndTime desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Monitor AWS Credential abuse or hijacking",
+ "enabled": false,
+ "description": "Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html ",
+ "alertRuleTemplateName": "32555639-b639-4c2b-afda-c0ae0abefa55"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 996a4c29a0c793bd2df327dfeb6ded839f185f2f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:48 +0000
Subject: [PATCH 210/375] Exported file: Multiple Password Reset by
user.json.json
---
.../Multiple Password Reset by user.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
new file mode 100644
index 00000000..d4e7b35e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet PerUserThreshold = 5;\nlet TotalThreshold = 100;\nlet action = dynamic([\"change\", \"changed\", \"reset\"]);\nlet pWord = dynamic([\"password\", \"credentials\"]);\nlet PasswordResetMultiDataSource =\n(union isfuzzy=true\n(//Password reset events\n//4723: An attempt was made to change an account's password\n//4724: An attempt was made to reset an accounts password\nSecurityEvent\n| where EventID in (\"4723\",\"4724\")\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\n(//Azure Active Directory Password reset events\nAuditLogs\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \"success\"\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \nTargetUserName = tolower(tostring(TargetResources[0].displayName))\n| project TimeGenerated, AccountType, Account, Computer = \"\", Type),\n(//OfficeActive ActiveDirectory Password reset events\nOfficeActivity\n| where OfficeWorkload == \"AzureActiveDirectory\" \n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\n| extend AccountType = UserType, Account = OfficeObjectId \n| project TimeGenerated, AccountType, Account, Type, Computer = \"\"),\n(// Unix syslog password reset events\nSyslog\n| where Facility in (\"auth\",\"authpriv\")\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\n| extend AccountType = iif(SyslogMessage contains \"root\", \"Root\", \"Non-Root\")\n| where SyslogMessage matches regex \".*password changed for.*\"\n| parse SyslogMessage with * \"password changed for\" Account\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\n);\nlet pwrmd = PasswordResetMultiDataSource\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\n(union isfuzzy=true \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\n| where Total > PerUserThreshold\n| extend ResetPivot = \"PerUserReset\"), \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\n| where Total > TotalThreshold\n| extend ResetPivot = \"TotalUserReset\")\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Password Reset by user",
+ "enabled": false,
+ "description": "This query will determine multiple password resets by user across multiple data sources. \nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \nand certain permission levels within an environment.",
+ "alertRuleTemplateName": "0b9ae89d-8cad-461c-808f-0494f70ad5c4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 228a4508947a8979cf79f9dd8b5d7255ae15bc88 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:49 +0000
Subject: [PATCH 211/375] Exported file: Multiple RDP connections from Single
System.json.json
---
...le RDP connections from Single System.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
diff --git a/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
new file mode 100644
index 00000000..7e1b85c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName\n| join kind=leftouter (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\n) on Account, IpAddress\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\n// Where the ratio of today to previous 7 days is more than double.\n| where Ratio > threshold\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Multiple RDP connections from Single System",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \nConnections from the same system with the same account within the same day.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "78422ef2-62bf-48ca-9bab-72c69818a425"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b26566f99ad308dd6648e99a09acc529a3f2684 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:49 +0000
Subject: [PATCH 212/375] Exported file: Multiple Teams deleted by a single
user.json.json
---
...ltiple Teams deleted by a single user.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
new file mode 100644
index 00000000..71af8d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// Adjust this value to change how many Teams should be deleted before including\nlet max_delete_count = 3;\n// Adjust this value to change the timewindow the query runs over\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\" \n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\n| where array_length(DeletedTeams) > max_delete_count\n| extend timestamp = StartTime, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Teams deleted by a single user",
+ "enabled": false,
+ "description": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.",
+ "alertRuleTemplateName": "173f8699-6af5-484a-8b06-8c47ba89b380"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f925e553695b6baa636faeed9088b3d699b6338 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:50 +0000
Subject: [PATCH 213/375] Exported file: Multiple users email forwarded to same
destination.json.json
---
...s email forwarded to same destination.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
diff --git a/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
new file mode 100644
index 00000000..4346f1d9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where Operation =~ \"Set-Mailbox\"\n| where Parameters has \"ForwardingSmtpAddress\"\n| extend parsed = parse_json(Parameters)\n| mv-expand parsed\n| where parsed.Name == \"ForwardingSmtpAddress\"\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\n| where isnotempty(fwdingDestination)\n| extend ClientIPOnly = case( \nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[0]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[0]), \nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[0]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[0]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n) \n| extend Port = case(\nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[1]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[1]), \nClientIP has ']-', tostring(split(ClientIP,\"]-\")[1]), \nClientIP has ']:', tostring(split(ClientIP,\"]:\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[1]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\"]-\")[1]),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\"]:\")[1]),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n)\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \n| where DistinctUserCount > 1\n| mv-expand UserId\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Multiple users email forwarded to same destination",
+ "enabled": false,
+ "description": "Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.",
+ "alertRuleTemplateName": "871ba14c-88ef-48aa-ad38-810f26760ca3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 15a6d980c4d2cff3c11c9efe12cb5b77ad64984d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:51 +0000
Subject: [PATCH 214/375] Exported file: NOBELIUM - Domain and IP IOCs - March
2021.json.json
---
...IUM - Domain and IP IOCs - March 2021.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
new file mode 100644
index 00000000..bb90e636
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\nlet IPList = dynamic(['185.225.69.69']);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain and IP IOCs - March 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "bb8a3481-dd14-4e76-8dcc-bbec8776d695"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eee96ce6f8eb5bcf5b8b15a388a7fd8d1c9a5b01 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:52 +0000
Subject: [PATCH 215/375] Exported file: NOBELIUM - Domain, Hash and IP IOCs -
May 2021.json.json
---
...- Domain, Hash and IP IOCs - May 2021.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
new file mode 100644
index 00000000..7c8dfcb9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain, Hash and IP IOCs - May 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5eda055329f88f2cff43208d8027307c4f808d65 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:52 +0000
Subject: [PATCH 216/375] Exported file: NOBELIUM - Script payload stored in
Registry.json.json
---
...M - Script payload stored in Registry.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
new file mode 100644
index 00000000..6cef6629
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let cmdTokens0 = dynamic(['vbscript','jscript']);\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\nSecurityEvent\n| where TimeGenerated >= ago(14d)\n| where EventID == 4688\n| where CommandLine has @'\\Microsoft\\Windows\\CurrentVersion'\n| where not(CommandLine has_any (@'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', @'\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'))\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\n//| where CommandLine has_any (cmdTokens0)\n//| where CommandLine has_all (cmdTokens1)\n| where CommandLine has_all (cmdTokens2)\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Script payload stored in Registry",
+ "enabled": false,
+ "description": "This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "00cb180c-08a8-4e55-a276-63fb1442d5b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5277292c122278ff7d7e424e44aeabd3a8e46a6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:53 +0000
Subject: [PATCH 217/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript (Normalized Process Events).json.json
---
... vbscript (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
new file mode 100644
index 00000000..052758f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "bdf04f58-242b-4729-b376-577c4bdf5d3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8df14a9886b8f1fd80d442a0dddbd52c3811b374 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:54 +0000
Subject: [PATCH 218/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript.json.json
---
...us rundll32.exe execution of vbscript.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
new file mode 100644
index 00000000..db510457
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4688\n| where Process =~ 'rundll32.exe' \n| where CommandLine has_all ('Execute','RegRead','window.close')\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "d82e1987-4356-4a7b-bc5e-064f29b143c0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cfc172d661b1ee498b43430c8ffd574564c0e011 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:55 +0000
Subject: [PATCH 219/375] Exported file: NOBELIUM IOCs related to FoggyWeb
backdoor.json.json
---
...IUM IOCs related to FoggyWeb backdoor.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
new file mode 100644
index 00000000..aa714c41
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"..\",\n\"..\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM IOCs related to FoggyWeb backdoor",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\n Reference: https://aka.ms/nobelium-foggy-web",
+ "alertRuleTemplateName": "c37711a4-5f44-4472-8afc-0679bc0ef966"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ec85d8b11755cef6b66d960388a588c8fc822e7a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:55 +0000
Subject: [PATCH 220/375] Exported file: Network endpoint to host executable
correlation.json.json
---
...dpoint to host executable correlation.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
diff --git a/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
new file mode 100644
index 00000000..af693c3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d012df68-9c36-431a-acc1-704063e21101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d012df68-9c36-431a-acc1-704063e21101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endpointData = \n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n );\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Network endpoint to host executable correlation",
+ "enabled": false,
+ "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
+ "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 06fd7019a1d1cad6e542e7f8a2246edcfbe4117a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:56 +0000
Subject: [PATCH 221/375] Exported file: New Agent Added to Pool by New User or
Added to a New OS Type_.json.json
---
...y New User or Added to a New OS Type_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
diff --git a/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
new file mode 100644
index 00000000..9ce08ffd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\n// exclude allowed users from query such as the ADO service\nlet allowed_users = dynamic([\"Azure DevOps Service\"]);\nunion\n// Look for agents being added to a pool of a OS type not seen with that pool before\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])\n| project AgentPoolName, OsDescription\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])) on AgentPoolName, OsDescription),\n// Look for users addeing agents to a pool that they have not added agents to before.\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| where ActorUPN !in (allowed_users)\n| project AgentPoolName, ActorUPN\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n) on AgentPoolName, ActorUPN)\n| extend AgentName = tostring(Data.AgentName)\n| extend OsDescription = tostring(Data.OsDescription)\n| extend SystemDetails = Data.SystemCapabilities\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New Agent Added to Pool by New User or Added to a New OS Type.",
+ "enabled": false,
+ "description": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \nconfigurable allow list to allow for certain users to be excluded from the logic.",
+ "alertRuleTemplateName": "4ce177b3-56b1-4f0e-b83e-27eed4cb0b16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 25d4a19aba8d7699e23e985bf660026ce6dc359c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:57 +0000
Subject: [PATCH 222/375] Exported file: New CloudShell User.json.json
---
.../New CloudShell User.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New CloudShell User.json
diff --git a/SentinelExported-AnalyticsRule/New CloudShell User.json b/SentinelExported-AnalyticsRule/New CloudShell User.json
new file mode 100644
index 00000000..52d70ed6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New CloudShell User.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\") \n| where ActivityStatusValue == \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\") \n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New CloudShell User",
+ "enabled": false,
+ "description": "Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only expected user are using CloudShell",
+ "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f535ce820de30246a541c554c0a077297dc6dbf2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:58 +0000
Subject: [PATCH 223/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts (1).json.json
---
...ty Detected Across Multiple Hosts (1).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
new file mode 100644
index 00000000..caab1b82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "6116dc19-475a-4148-84b2-efe89c073e27"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c1358ec1e939a0a9be0bc49f870c19c72fd069cf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:58 +0000
Subject: [PATCH 224/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts.json.json
---
...bility Detected Across Multiple Hosts.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
new file mode 100644
index 00000000..82fd3921
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "84cf1d59-f620-4fee-b569-68daf7008b7b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0af43eacbe38e84c2781aee6a4b66c4d300d293d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:17:59 +0000
Subject: [PATCH 225/375] Exported file: New PA, PCA, or PCAS added to Azure
DevOps.json.json
---
...A, PCA, or PCAS added to Azure DevOps.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
diff --git a/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
new file mode 100644
index 00000000..3e492d79
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Group.UpdateGroupMembership.Add\"\n| where Details has_any (\"Project Administrators\", \"Project Collection Administrators\", \"Project Collection Service Accounts\", \"Build Administrator\")\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\n| extend timekey = bin(TimeGenerated, 1h)\n| extend ActorUserId = tostring(Data.MemberId)\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\n// Get details of operations conducted by user soon after elevation of permissions\n| join (AzureDevOpsAuditing\n| extend ActorUserId = tostring(Data.MemberId)\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New PA, PCA, or PCAS added to Azure DevOps",
+ "enabled": false,
+ "description": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \nshould also be conducted.",
+ "alertRuleTemplateName": "35ce9aff-1708-45b8-a295-5e9a307f5f17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e060bf0d9a25b62b43ba5f2a26a5b57e47849439 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:00 +0000
Subject: [PATCH 226/375] Exported file: New UserAgent observed in last 24
hours.json.json
---
...w UserAgent observed in last 24 hours.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
diff --git a/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
new file mode 100644
index 00000000..ffd6f64e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New UserAgent observed in last 24 hours",
+ "enabled": false,
+ "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
+ "alertRuleTemplateName": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 07a5aef9187035e4630df1dd94ab7d8ca67ea689 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:01 +0000
Subject: [PATCH 227/375] Exported file: New access credential added to
Application or Service Principal.json.json
---
...d to Application or Service Principal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
diff --git a/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
new file mode 100644
index 00000000..45837da8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New access credential added to Application or Service Principal",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "79566f41-df67-4e10-a703-c38a6213afd8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b0346f7c8a695ed3cec364511ded96ce58d459cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:02 +0000
Subject: [PATCH 228/375] Exported file: New executable via Office FileUploaded
Operation.json.json
---
...ble via Office FileUploaded Operation.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
diff --git a/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
new file mode 100644
index 00000000..038be497
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// a threshold can be enabled, see commented line below for PrevSeenCount\nlet threshold = 2;\nlet uploadOp = 'FileUploaded';\n// Extensions that are interesting. Add/Remove to this list as you see fit\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\nlet starttime = 8d;\nlet endtime = 1d;\nOfficeActivity | where TimeGenerated >= ago(endtime)\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \"upload\" or Operation contains \"download\"\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\n| join kind= leftanti (\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\n//| where PrevSeenCount > threshold\n| mvexpand SourceRelativeUrl, UserId\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId \n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_',UserId))\n// identify when UserId is not a match to the specific site url personal folder reference\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "New executable via Office FileUploaded Operation",
+ "enabled": false,
+ "description": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\nAdditionally, identifies when a given user is uploading these files to another users workspace.\nThis may be indication of a staging location for malware or other malicious activity.",
+ "alertRuleTemplateName": "d722831e-88f5-4e25-b106-4ef6e29f8c13"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7011fefe9d91855e2ca802a3461c431a7499aa6c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:02 +0000
Subject: [PATCH 229/375] Exported file: New internet-exposed SSH
endpoints.json.json
---
.../New internet-exposed SSH endpoints.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
diff --git a/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
new file mode 100644
index 00000000..77ac33c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'; \nlet avgthreshold = 0;\nlet probabilityLimit = 0.01;\nlet ssh_logins = Syslog\n| where Facility contains \"auth\" and ProcessName =~ \"sshd\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) \n| where isnotempty(SourceIP)\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\");\nssh_logins \n| summarize privatecount=countif(ipType==\"private\"), publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, 1d)\n| summarize \npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\n(\n order by todatetime(publicIPLoginHistory['logon_time']) asc\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\n)\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\n(\n order by todatetime(privateIPLoginHistory['logon_time']) asc\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\n)\n// Some logins from private IPs\n| where privateAverage > avgthreshold\n// There is a non-zero number of logins from public IPs\n| where publicAverage > avgthreshold\n// Approximate probability of seeing login from a public IP is < 1%\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\n| where probabilityPublic < probabilityLimit\n// Today has the highest number of logins from public IPs that we've seen in the last week\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\n| where publicLoginCountToday >= maxPublicLoginCount\n| extend HostCustomEntity = HostName\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\n// | join kind=rightsemi (\n// ssh_logins\n// | where ipType == \"public\"\n// ) on HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New internet-exposed SSH endpoints",
+ "enabled": false,
+ "description": "Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.",
+ "alertRuleTemplateName": "4915c713-ab38-432e-800b-8e2d46933de6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 234c17e393c8bbc762e8fbc7dbc2f399431a95cf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:03 +0000
Subject: [PATCH 230/375] Exported file: New user created and added to the
built-in administrators group.json.json
---
... to the built-in administrators group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
diff --git a/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
new file mode 100644
index 00000000..5c94c4cb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "SecurityEvent\n| where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\n| join (\nSecurityEvent \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "New user created and added to the built-in administrators group",
+ "enabled": false,
+ "description": "Identifies when a user account was created and then added to the builtin Administrators group in the same day.\nThis should be monitored closely and all additions reviewed.",
+ "alertRuleTemplateName": "aa1eff90-29d4-49dc-a3ea-b65199f516db"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f62cc817f28c05be105cdb7037aaf83bef7970d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:04 +0000
Subject: [PATCH 231/375] Exported file: Non Domain Controller Active Directory
Replication.json.json
---
...ntroller Active Directory Replication.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
diff --git a/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
new file mode 100644
index 00000000..c5cfad18
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Non Domain Controller Active Directory Replication",
+ "enabled": false,
+ "description": "This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html'",
+ "alertRuleTemplateName": "b9d2eebc-5dcb-4888-8165-900db44443ab"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b27cbdfc9176fe9bc84c0e4ec8d4ac658ec514c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:05 +0000
Subject: [PATCH 232/375] Exported file: OMI Vulnerability
Exploitation.json.json
---
.../OMI Vulnerability Exploitation.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
diff --git a/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
new file mode 100644
index 00000000..c84ef3f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major
Date: Mon, 27 Feb 2023 02:18:06 +0000
Subject: [PATCH 233/375] Exported file: Office policy tampering.json.json
---
.../Office policy tampering.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Office policy tampering.json
diff --git a/SentinelExported-AnalyticsRule/Office policy tampering.json b/SentinelExported-AnalyticsRule/Office policy tampering.json
new file mode 100644
index 00000000..319b74f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Office policy tampering.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let opList = OfficeActivity \n| summarize by Operation\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\n| where Operation has_any (\"Remove\", \"Disable\")\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\n| summarize make_set(Operation);\nOfficeActivity\n// Only admin or global-admin can disable/remove policy\n| where RecordType =~ \"ExchangeAdmin\"\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// Pass in interesting Operation list\n| where Operation in~ (opList)\n| extend ClientIPOnly = case( \nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP\n) \n| extend Port = case(\nClientIP has \".\", (split(ClientIP,\":\")[1]),\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\nClientIP\n)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Office policy tampering",
+ "enabled": false,
+ "description": "Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.",
+ "alertRuleTemplateName": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From aad2414d926b2939d990a22f6d13da43734ee092 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:07 +0000
Subject: [PATCH 234/375] Exported file: PIM Elevation Request
Rejected.json.json
---
.../PIM Elevation Request Rejected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
diff --git a/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
new file mode 100644
index 00000000..dec0deb4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result == \"failure\"\n| extend Role = tostring(TargetResources[3].displayName)\n| extend User = tostring(TargetResources[2].displayName)\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "PIM Elevation Request Rejected",
+ "enabled": false,
+ "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "7d7e20f8-3384-4b71-811c-f5e950e8306c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 619d6da4be8a65f9bffff134979e390f211ddc74 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:07 +0000
Subject: [PATCH 235/375] Exported file: Palo Alto - possible internal to
external port scanning.json.json
---
...le internal to external port scanning.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
new file mode 100644
index 00000000..1a1c74aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog \n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\") \n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer != \"\" \n| where DestinationIP !startswith \"10.\"\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \n| where AdditionalExtensions !has \"reason=aged-out\" \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where AdditionalExtensions !has \"reason=tcp-fin\" \n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - possible internal to external port scanning",
+ "enabled": false,
+ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK",
+ "alertRuleTemplateName": "5b72f527-e3f6-4a00-9908-8e4fee14da9f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 61bea94757c1baff9e0277d4d52e4cc162d98813 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:08 +0000
Subject: [PATCH 236/375] Exported file: Palo Alto - potential beaconing
detected.json.json
---
...o Alto - potential beaconing detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
new file mode 100644
index 00000000..88c05774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (ago(starttime)..ago(endtime))\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - potential beaconing detected",
+ "enabled": false,
+ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/",
+ "alertRuleTemplateName": "f0be259a-34ac-4946-aa15-ca2b115d5feb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7cdf3cf5418cbb34a9926674fe79dda9077a9aff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:09 +0000
Subject: [PATCH 237/375] Exported file: Password spray attack against Azure AD
application.json.json
---
...y attack against Azure AD application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
diff --git a/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
new file mode 100644
index 00000000..a50426ef
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup \n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Password spray attack against Azure AD application",
+ "enabled": false,
+ "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "48607a29-a26a-4abf-8078-a06dbdd174a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 52f1bcfe208eba0ec943bfad450db156cf1d43cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:10 +0000
Subject: [PATCH 238/375] Exported file: Port Scan Detected.json.json
---
.../Port Scan Detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Port Scan Detected.json
diff --git a/SentinelExported-AnalyticsRule/Port Scan Detected.json b/SentinelExported-AnalyticsRule/Port Scan Detected.json
new file mode 100644
index 00000000..9aee9b63
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Port Scan Detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\"\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\n| where dcount_Dst_Port > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Port Scan Detected",
+ "enabled": false,
+ "description": "This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.",
+ "alertRuleTemplateName": "427e4c9e-8cf4-4094-a684-a2d060dbca38"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 831fc3e208a2b4b9aa6e244cdfdc2e94edcae114 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:10 +0000
Subject: [PATCH 239/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Oct 2020.json.json
---
...pted credential harvesting - Oct 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
new file mode 100644
index 00000000..90a1a987
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Oct 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.",
+ "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 073de6936d03fef64c093d9da198aa2c0f414d64 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:11 +0000
Subject: [PATCH 240/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Sept 2020.json.json
---
...ted credential harvesting - Sept 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
new file mode 100644
index 00000000..a0d47cdb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Sept 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.",
+ "alertRuleTemplateName": "04384937-e927-4595-8f3c-89ff58ed231f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cdc873efe8cf318532aa6ba2abd33c2893d66692 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:12 +0000
Subject: [PATCH 241/375] Exported file: Possible contact with a domain
generated by a DGA.json.json
---
...tact with a domain generated by a DGA.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
diff --git a/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
new file mode 100644
index 00000000..15c28f10
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet triThreshold = 500;\nlet startTime = 6h;\nlet dgaLengthThreshold = 8;\n// fetch the alexa top 1M domains\nlet top1M = (externaldata (Position:int, Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with (format=\"csv\", zipPattern=\"*.csv\"));\n// extract tri grams that are above our threshold - i.e. are common\nlet triBaseline = top1M\n| extend Domain = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain))\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", Domain), extract_all(\"(...)\", substring(Domain, 1)), extract_all(\"(...)\", substring(Domain, 2)))\n| mvexpand Trigram=AllTriGrams\n| summarize triCount=count() by tostring(Trigram)\n| sort by triCount desc\n| where triCount > triThreshold\n| distinct Trigram;\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\nlet allDataSummarized = CommonSecurityLog\n| where TimeGenerated > ago(startTime)\n| where isnotempty(DestinationHostName)\n| extend Name = tolower(DestinationHostName)\n| distinct Name\n| where Name has \".\"\n| where Name !endswith \".home\" and Name !endswith \".lan\"\n// extract DGA candidate\n| extend DGADomain = extract(\"([^.]*).{0,7}$\", 1, Name)\n| where strlen(DGADomain) > dgaLengthThreshold\n// throw out domains with number in them\n| where DGADomain matches regex \"^[A-Za-z]{0,}$\"\n// extract the tri grams from summarized data\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", DGADomain), extract_all(\"(...)\", substring(DGADomain, 1)), extract_all(\"(...)\", substring(DGADomain, 2)));\n// throw out domains that have repeating tri's and/or >=3 repeating letters\nlet nonRepeatingTris = allDataSummarized\n| join kind=leftanti\n(\n allDataSummarized\n | mvexpand AllTriGrams\n | summarize count() by tostring(AllTriGrams), DGADomain\n | where count_ > 1\n | distinct DGADomain\n)\non DGADomain;\n// find domains that do not have a common tri in the baseline\nlet dataWithRareTris = nonRepeatingTris\n| join kind=leftanti\n(\n nonRepeatingTris\n | mvexpand AllTriGrams\n | extend Trigram = tostring(AllTriGrams)\n | distinct Trigram, DGADomain\n | join kind=inner\n (\n triBaseline\n )\n on Trigram\n | distinct DGADomain\n)\non DGADomain;\ndataWithRareTris\n// join DGAs back on connection data\n| join kind=inner\n(\n CommonSecurityLog\n | where TimeGenerated > ago(startTime)\n | where isnotempty(DestinationHostName)\n | extend DestinationHostName = tolower(DestinationHostName)\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\n)\non Name\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Possible contact with a domain generated by a DGA",
+ "enabled": false,
+ "description": "Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.",
+ "alertRuleTemplateName": "4acd3a04-2fad-4efc-8a4b-51476594cec4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 25ce915b393d410faf1cf4d152db5fa10bb5c34c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:13 +0000
Subject: [PATCH 242/375] Exported file: Potential Build Process Compromise -
MDE.json.json
---
...ential Build Process Compromise - MDE.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
new file mode 100644
index 00000000..7ddfad51
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([]);\nDeviceProcessEvents\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where FileName has_any (build_processes)\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nDeviceFileEvents\n| where TimeGenerated > ago(timeframe)\n| where InitiatingProcessFileName !in (allow_list)\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n// Look for code files, edit this to include file extensions used in build.\n| where FileName endswith \".cs\" or FileName endswith \".cpp\"\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, DeviceName\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=DeviceName, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise - MDE",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "1bf6e165-5e32-420e-ab4f-0da8558a8be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dd56fffe04b6c5c6459d5fecc472b3f3cea8e603 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:14 +0000
Subject: [PATCH 243/375] Exported file: Potential Build Process
Compromise.json.json
---
.../Potential Build Process Compromise.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
new file mode 100644
index 00000000..5e33be49
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([\"\"]);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where EventID == 4688\n| where Process has_any (build_processes)\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for file modifications to code file\n| where EventID == 4663\n| where Process !in (allow_list)\n// Look for code files, edit this to include file extensions used in build.\n| where ObjectName endswith \".cs\" or ObjectName endswith \".cpp\"\n// 0x6 and 0x4 for file append, 0x100 for file replacements\n| where AccessMask == \"0x6\" or AccessMask == \"0x4\" or AccessMask == \"0X100\"\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, Computer\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=Computer, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "5ef06767-b37c-4818-b035-47de950d0046"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1d6537de96a61c807825ba9d1c26f3248a67271f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:14 +0000
Subject: [PATCH 244/375] Exported file: Potential DGA detected
(ASimDNS).json.json
---
.../Potential DGA detected (ASimDNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
new file mode 100644
index 00000000..c02a471f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let referencestarttime = 10d;\nlet referenceendtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \n {imDns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\n | where DnsQueryTypeName in (\"A\", \"AAAA\")\n | where ipv4_is_match(\"127.0.0.1\", SrcIpAddr) == False\n | where DnsQuery !contains \"/\" and DnsQuery contains \".\"};\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold\n // Filter out previously seen IPs\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold ) on SrcIpAddr\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected (ASimDNS)",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)'",
+ "alertRuleTemplateName": "983a6922-894d-413c-9f04-d7add0ecc307"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 41a09e39b04b429260d06a3015551b41bd159473 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:15 +0000
Subject: [PATCH 245/375] Exported file: Potential DGA detected.json.json
---
.../Potential DGA detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected.json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected.json b/SentinelExported-AnalyticsRule/Potential DGA detected.json
new file mode 100644
index 00000000..9a4f96e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = DnsEvents \n| where ResultCode == 3 \n| where QueryType in (\"A\", \"AAAA\")\n| where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !contains \"/\"\n| where Name contains \".\";\nnxDomainDnsEvents\n| where TimeGenerated > ago(endtime)\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen IPs\n| join kind=leftanti (nxDomainDnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | extend sld = tostring(split(Name, \".\")[-2])\n | summarize dcount(sld) by ClientIP\n | where dcount_sld > threshold ) on ClientIP\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).",
+ "alertRuleTemplateName": "a0907abe-6925-4d90-af2b-c7e89dc201a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 01e028e12afb4317f82b4147a4f5e9198696b9d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:16 +0000
Subject: [PATCH 246/375] Exported file: Potential DHCP Starvation
Attack.json.json
---
.../Potential DHCP Starvation Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
new file mode 100644
index 00000000..f7eac851
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1000;\nInfobloxNIOS\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential DHCP Starvation Attack",
+ "enabled": false,
+ "description": "This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.",
+ "alertRuleTemplateName": "57e56fc9-417a-4f41-a579-5475aea7b8ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8a3352afca65f907438a5b207d64e3e90a36a5dc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:17 +0000
Subject: [PATCH 247/375] Exported file: Potential Kerberoasting.json.json
---
.../Potential Kerberoasting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Kerberoasting.json
diff --git a/SentinelExported-AnalyticsRule/Potential Kerberoasting.json b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
new file mode 100644
index 00000000..93218cde
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold = 15;\nlet Kerbevent =\nSecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769\n| parse EventData with * 'TicketEncryptionType\">' TicketEncryptionType \"<\" *\n| where TicketEncryptionType == '0x17'\n| parse EventData with * 'TicketOptions\">' TicketOptions \"<\" *\n| where TicketOptions == '0x40810000'\n| parse EventData with * 'Status\">' Status \"<\" *\n| where Status == '0x0'\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\" \n| parse EventData with * 'TargetUserName\">' TargetUserName \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| parse EventData with * 'IpAddress\">::ffff:' ClientIPAddress \"<\" *;\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h < prev23hThreshold;\nlet Kerbevent1h = \nKerbevent\n| where TimeGenerated >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\nKerbevent1h \n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, TargetDomainName\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\n| where ServiceNameCountPrev1h > prev1hThreshold\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\"\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Kerberoasting",
+ "enabled": false,
+ "description": "A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.",
+ "alertRuleTemplateName": "1572e66b-20a7-4012-9ec4-77ec4b101bc8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 180e0c872b0a57f69d1267a3957dea1906f0c6be Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:17 +0000
Subject: [PATCH 248/375] Exported file: Potential Password Spray Attack (Uses
Authentication Normalization).json.json
---
...k (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
new file mode 100644
index 00000000..3fc7a639
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n , Users = make_set(TargetUserId,100) \n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b16923a17136ba0040b08ad94fb69ae3c58fb9a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:18 +0000
Subject: [PATCH 249/375] Exported file: Potential Password Spray
Attack.json.json
---
.../Potential Password Spray Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
new file mode 100644
index 00000000..ac884a34
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack",
+ "alertRuleTemplateName": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6377b7512d7e735c152135982282f98807e0fccd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:19 +0000
Subject: [PATCH 250/375] Exported file: Powershell Empire cmdlets seen in
command line.json.json
---
...l Empire cmdlets seen in command line.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
diff --git a/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
new file mode 100644
index 00000000..1a6df223
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet regexEmpire = @\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\$Volume){\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\(\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\";\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nlet decodedPS = ProcessCreationEvents\n| where CommandLine contains \" -encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\n(decodedPS\n| union \n(ProcessCreationEvents\n| where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\")\n| where CommandLine !contains \"-encodedcommand\")\n| extend StartTimeUtc = TimeGenerated\n)\n| where CommandLine matches regex regexEmpire\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Powershell Empire cmdlets seen in command line",
+ "enabled": false,
+ "description": "Identifies instances of PowerShell Empire cmdlets in powershell process command line data.",
+ "alertRuleTemplateName": "ef88eb96-861c-43a0-ab16-f3835a97c928"
+ }
+ }
+ ]
+}
\ No newline at end of file
From daa0e5ef1e22ceb561628adf5732f759e73fd3d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:20 +0000
Subject: [PATCH 251/375] Exported file: Privileged Accounts - Sign in Failure
Spikes.json.json
---
...ged Accounts - Sign in Failure Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
new file mode 100644
index 00000000..da1e5f2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\nIdentityInfo\n| where AssignedRoles contains \"Admin\"\n| mv-expand AssignedRoles\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\n| where Roles contains \"Admin\"\n| distinct Roles, AccountUPN\n| join kind=inner (\n // Failed Signins attempts with reasoning related to MFA.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n) on $left.AccountUPN == $right.UserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, Roles, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Accounts - Sign in Failure Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
+ "alertRuleTemplateName": "34c5aff9-a8c2-4601-9654-c7e46342d03b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From adf2d681fd0bb169a918e49ccac91320a3a0c8e9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:20 +0000
Subject: [PATCH 252/375] Exported file: Privileged Role Assigned Outside
PIM.json.json
---
.../Privileged Role Assigned Outside PIM.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
new file mode 100644
index 00000000..c112b51e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName =~ 'Add member to role (permanent)'\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Role Assigned Outside PIM",
+ "enabled": false,
+ "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "269435e3-1db8-4423-9dfc-9bf59997da1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77415ae02ede65859b85a9319cdb119da208c786 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:21 +0000
Subject: [PATCH 253/375] Exported file: Probable AdFind Recon Tool Usage
(Normalized Process Events).json.json
---
...ool Usage (Normalized Process Events).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
new file mode 100644
index 00000000..e9ccfb0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 68b0effeaf3c92077bcc32988c2b77650a328415 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:22 +0000
Subject: [PATCH 254/375] Exported file: Probable AdFind Recon Tool
Usage.json.json
---
.../Probable AdFind Recon Tool Usage.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
new file mode 100644
index 00000000..06834d6f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nDeviceProcessEvents\n//looks for execution from a shell\n| where InitiatingProcessFileName in (parentProcesses)\n// main filter\n| where FileName =~ \"AdFind.exe\" or SHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or ProcessCommandLine has_any (args)\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.",
+ "alertRuleTemplateName": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c7784867d2cc0734759fb41b86d2a4fb726154c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:23 +0000
Subject: [PATCH 255/375] Exported file: Process executed from binary hidden in
Base64 encoded file.json.json
---
... binary hidden in Base64 encoded file.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
diff --git a/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
new file mode 100644
index 00000000..73cfa20b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents;\n};\nProcessCreationEvents \n| where CommandLine contains \".decode('base64')\"\n or CommandLine contains \"base64 --decode\"\n or CommandLine contains \".decode64(\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Process executed from binary hidden in Base64 encoded file",
+ "enabled": false,
+ "description": "Encoding malicious software is a technique used to obfuscate files from detection. \nThe first CommandLine component is looking for Python decoding base64. \nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64.",
+ "alertRuleTemplateName": "d6190dde-8fd2-456a-ac5b-0a32400b0464"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 706b33daff265096822f4c1d180fdcdaa77d40be Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:23 +0000
Subject: [PATCH 256/375] Exported file: Process execution frequency
anomaly.json.json
---
.../Process execution frequency anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
new file mode 100644
index 00000000..c225444e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 5;\nlet ExeList = dynamic([\"powershell.exe\",\"cmd.exe\",\"wmic.exe\",\"psexec.exe\",\"cacls.exe\",\"rundll.exe\"]);\nlet TimeSeriesData =\nSecurityEvent\n| where EventID == 4688 | extend Process = tolower(Process)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where Process in (ExeList)\n| project TimeGenerated, Computer, AccountType, Account, Process\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project Process, TimeGenerated, Total, baseline, anomalies, score\n| where Total > TotalEventsThreshold);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\nSecurityEvent\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| where EventID == 4688 | extend Process = tolower(Process)\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\n) on Process, TimeGenerated\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Process execution frequency anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.",
+ "alertRuleTemplateName": "2c55fe7a-b06f-4029-a5b9-c54a2320d7b8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 19dfb4fad5114727cb27220671046e3891b889a8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:24 +0000
Subject: [PATCH 257/375] Exported file: ProofpointPOD - Binary file in
attachment.json.json
---
...fpointPOD - Binary file in attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
new file mode 100644
index 00000000..d7979346
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Binary file in attachment",
+ "enabled": false,
+ "description": "Detects when email recieved with binary file as attachment.",
+ "alertRuleTemplateName": "eb68b129-5f17-4f56-bf6d-dde48d5e615a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7de40d8c7ce08e15f111444a8f8c065383e26f97 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:25 +0000
Subject: [PATCH 258/375] Exported file: ProofpointPOD - Email sender IP in TI
list.json.json
---
...pointPOD - Email sender IP in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
new file mode 100644
index 00000000..56d78c38
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcIpAddr)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\n )\non $left.TI_ipEntity == $right.ClientIP\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender IP in TI list",
+ "enabled": false,
+ "description": "Email sender IP in TI list.",
+ "alertRuleTemplateName": "78979d32-e63f-4740-b206-cfb300c735e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3d13317308fbdcf734bea4b56527b428c7680138 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:26 +0000
Subject: [PATCH 259/375] Exported file: ProofpointPOD - Email sender in TI
list.json.json
---
...oofpointPOD - Email sender in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
new file mode 100644
index 00000000..15e29453
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcUserUpn)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n \n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender in TI list",
+ "enabled": false,
+ "description": "Email sender in TI list.",
+ "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b45b82221ce52db283a45cb449cdfeb669a7e7ea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:26 +0000
Subject: [PATCH 260/375] Exported file: ProofpointPOD - High risk message not
discarded.json.json
---
...POD - High risk message not discarded.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
new file mode 100644
index 00000000..40125ada
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - High risk message not discarded",
+ "enabled": false,
+ "description": "Detects when email with high risk score was not rejected or discarded by filters.",
+ "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e199c7cdd8b99893df82abe8331bfe26580bac43 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:27 +0000
Subject: [PATCH 261/375] Exported file: ProofpointPOD - Multiple archived
attachments to the same recipient.json.json
---
...ved attachments to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
new file mode 100644
index 00000000..f4c3e6c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple archived attachments to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails where sent to the same recipient with large archived attachments.",
+ "alertRuleTemplateName": "bda5a2bd-979b-4828-a91f-27c2a5048f7f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f857a63725f0a9370122a68b34e7f9ea01ee2ab9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:28 +0000
Subject: [PATCH 262/375] Exported file: ProofpointPOD - Multiple large emails
to the same recipient.json.json
---
...le large emails to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
new file mode 100644
index 00000000..51b6a7ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet msgszthreshold = 3000000;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where NetworkBytes > msgszthreshold\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple large emails to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails with lage size where sent to the same recipient.",
+ "alertRuleTemplateName": "d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd4be32517f87ded0d73b5f958a345dbec56c0cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:29 +0000
Subject: [PATCH 263/375] Exported file: ProofpointPOD - Multiple protected
emails to unknown recipient.json.json
---
...protected emails to unknown recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
new file mode 100644
index 00000000..46b01c27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet lbperiod = 14d;\nlet knownrecipients = ProofpointPOD\n| where TimeGenerated > ago(lbperiod)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where SrcUserUpn != ''\n| where array_length(todynamic(DstUserUpn)) == 1\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\n| extend commcol = SrcUserUpn;\nProofpointPOD\n| where TimeGenerated between (ago(lbtime) .. now())\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\n| join knownrecipients on commcol\n| where recipients !contains DstUserMail\n| project SrcUserUpn, DstUserMail\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple protected emails to unknown recipient",
+ "enabled": false,
+ "description": "Detects when multiple protected messages where sent to early not seen recipient.",
+ "alertRuleTemplateName": "f8127962-7739-4211-a4a9-390a7a00e91f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 35f8a94c56f31bf279e77dfdaff8e893e55b4e8e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:29 +0000
Subject: [PATCH 264/375] Exported file: ProofpointPOD - Possible data
exfiltration to private email.json.json
---
...le data exfiltration to private email.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
new file mode 100644
index 00000000..41839953
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where array_length(todynamic(DstUserUpn)) == 1\n| extend sender = extract(@'\\A(.*?)@', 1, SrcUserUpn)\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\n| extend recipient = extract(@'\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\n| where sender =~ recipient\n| where sender_domain != recipient_domain\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Possible data exfiltration to private email",
+ "enabled": false,
+ "description": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.",
+ "alertRuleTemplateName": "aedc5b33-2d7c-42cb-a692-f25ef637cbb1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4e514aa31212d8b7aa08079b0e6226c1e0b1ec41 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:30 +0000
Subject: [PATCH 265/375] Exported file: ProofpointPOD - Suspicious
attachment.json.json
---
...ProofpointPOD - Suspicious attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
new file mode 100644
index 00000000..92580185
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\n| where attachedExt in (disallowed_ext)\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Suspicious attachment",
+ "enabled": false,
+ "description": "Detects when email contains suspicious attachment (file type).",
+ "alertRuleTemplateName": "f6a51e2c-2d6a-4f92-a090-cfb002ca611f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f42f7950a6ef8eee91dcd44d983548f2ed81ad0a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:31 +0000
Subject: [PATCH 266/375] Exported file: ProofpointPOD - Weak ciphers.json.json
---
.../ProofpointPOD - Weak ciphers.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
new file mode 100644
index 00000000..bc4737a2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 1h;\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\nProofpointPOD\n| where EventType == 'message'\n| where TlsCipher in (tls_ciphers)\n| extend IpCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "ProofpointPOD - Weak ciphers",
+ "enabled": false,
+ "description": "Detects when weak TLS ciphers are used.",
+ "alertRuleTemplateName": "56b0a0cd-894e-4b38-a0a1-c41d9f96649a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 258f4d97996e6a29ce2c5b0db0709c1c6141fd67 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:32 +0000
Subject: [PATCH 267/375] Exported file: PulseConnectSecure - Large Number of
Distinct Failed User Logins.json.json
---
...Number of Distinct Failed User Logins.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
new file mode 100644
index 00000000..ddd791b4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
+ "enabled": false,
+ "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
+ "alertRuleTemplateName": "1fa1528e-f746-4794-8a41-14827f4cb798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c945f7021b490eccd417a169472f6557966705eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:32 +0000
Subject: [PATCH 268/375] Exported file: PulseConnectSecure - Potential Brute
Force Attempts.json.json
---
...cure - Potential Brute Force Attempts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
new file mode 100644
index 00000000..09ccf3d3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
+ "enabled": false,
+ "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
+ "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2762b0902025a1bf1abdb2258a976b5e9b89f4ea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:33 +0000
Subject: [PATCH 269/375] Exported file: RDP Nesting.json.json
---
.../RDP Nesting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/RDP Nesting.json
diff --git a/SentinelExported-AnalyticsRule/RDP Nesting.json b/SentinelExported-AnalyticsRule/RDP Nesting.json
new file mode 100644
index 00000000..93ec5a16
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/RDP Nesting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda14730-b43b-4099-a785-6145306928b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda14730-b43b-4099-a785-6145306928b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\nlet threshold = 5;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the first RDP connection time, computer and ip\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \n| join kind=inner (\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the second RDP connection time, computer and ip\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\n) on Account\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\n// where the second hop occurs within 30 minutes of the first hop\n| where SecondHop <= FirstHop+30m\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\n| where ComputerCount >= threshold\n| mvexpand set_Computer\n| extend Computer = toupper(set_Computer)\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "RDP Nesting",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \nto another system with the same account within the 60 minutes. Additionally, if historically daily \nRDP connections are indicated by the logged EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "69a45b05-71f5-45ca-8944-2e038747fb39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e856841817aaa4225e263a9a94f552cfd07199d9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:34 +0000
Subject: [PATCH 270/375] Exported file: Rare RDP Connections.json.json
---
.../Rare RDP Connections.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare RDP Connections.json
diff --git a/SentinelExported-AnalyticsRule/Rare RDP Connections.json b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
new file mode 100644
index 00000000..84ec8eb1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where EventID == 4624\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\n) on Account, Computer\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Rare RDP Connections",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "45b903c5-6f56-4969-af10-ae62ac709718"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b8933577b0b865d9af49660c99e66957d4a61321 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:35 +0000
Subject: [PATCH 271/375] Exported file: Rare and potentially high-risk Office
operations.json.json
---
...tentially high-risk Office operations.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
diff --git a/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
new file mode 100644
index 00000000..ee48f951
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nOfficeActivity\n| where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\")\nand not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare and potentially high-risk Office operations",
+ "enabled": false,
+ "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.",
+ "alertRuleTemplateName": "957cb240-f45d-4491-9ba5-93430a3c08be"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a8964d89ee84cbd8a51f6228f17f238da6cdd625 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:35 +0000
Subject: [PATCH 272/375] Exported file: Rare application consent.json.json
---
.../Rare application consent.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare application consent.json
diff --git a/SentinelExported-AnalyticsRule/Rare application consent.json b/SentinelExported-AnalyticsRule/Rare application consent.json
new file mode 100644
index 00000000..66f56236
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare application consent.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed. \n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are \n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold\n;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| parse TargetResources.[0].modifiedProperties with * \"ConsentType: \" ConsentType \"]\" *\n| mv-expand AdditionalDetails\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "LateralMovement",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare application consent",
+ "enabled": false,
+ "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f2b4c8cf60cae13559686f9b8a68436fbf336969 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:36 +0000
Subject: [PATCH 273/375] Exported file: Rare client observed with high reverse
DNS lookup count.json.json
---
...ed with high reverse DNS lookup count.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
diff --git a/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
new file mode 100644
index 00000000..d4f3d8ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents \n| where TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \n| join kind=leftanti (DnsEvents \n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | where Name contains \"in-addr.arpa\" \n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | where dcount_Name > threshold\n | project ClientIP , dcount_Name \n) on ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Rare client observed with high reverse DNS lookup count",
+ "enabled": false,
+ "description": "Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.",
+ "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 995705f67d4c29ca3361b2988fbd0311d86b3a41 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:37 +0000
Subject: [PATCH 274/375] Exported file: Rare subscription-level operations in
Azure.json.json
---
...ubscription-level operations in Azure.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
new file mode 100644
index 00000000..9d3c1cd9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet SensitiveOperationList = dynamic([\"microsoft.compute/snapshots/write\", \"microsoft.network/networksecuritygroups/write\", \"microsoft.storage/storageaccounts/listkeys/action\"]);\nlet SensitiveActivity = AzureActivity\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \"listkeys/action\"\n| where ActivityStatusValue =~ \"Succeeded\";\nSensitiveActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \nSensitiveActivity\n| where TimeGenerated >= ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \nby CallerIpAddress, Caller, OperationNameValue\n) on CallerIpAddress, Caller, OperationNameValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Rare subscription-level operations in Azure",
+ "enabled": false,
+ "description": "This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \n to dump hashes or extract sensitive information from the disk.",
+ "alertRuleTemplateName": "23de46ea-c425-4a77-b456-511ae4855d69"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9edb0d8cc73f75ac166958a4c81ca6311ef099a5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:38 +0000
Subject: [PATCH 275/375] Exported file: Request for single resource on
domain.json.json
---
...Request for single resource on domain.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Request for single resource on domain.json
diff --git a/SentinelExported-AnalyticsRule/Request for single resource on domain.json b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
new file mode 100644
index 00000000..edbd74c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet scriptExtensions = dynamic([\".php\", \".aspx\", \".asp\", \".cfml\"]);\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\nlet uriThreshold = 1;\nCommonSecurityLog\n// Only look at connections that were allowed through the web proxy\n| where DeviceVendor =~ \"Zscaler\" and DeviceAction =~ \"Allowed\"\n// Only look where some data was exchanged.\n| where SentBytes > 0 and ReceivedBytes > 0\n// Extract the Domain\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\n| extend GetData=iff(RequestURL == \"?\", 1, 0)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\n// Determine the number of URIs that have been visited for the domain\n| extend destinationURI = arraylength(list_RequestURL)\n| where destinationURI <= uriThreshold\n| where tostring(list_RequestURL) has_any(scriptExtensions)\n//Remove matches with referer\n| where max_RequestContext == \"\"\n//Keep requests where data was trasferred either in a GET with parameters or a POST\n| where set_RequestMethod in~ (\"POST\") or max_GetData == 1\n//Defeat email click tracking, may increase FN's while decreasing FP's\n| where list_RequestURL !has \"click\" and set_RequestMethod !has \"GET\"\n| mvexpand list_RequestURL, list_DestinationIP\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\n//Extend custom entitites for incidents\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Request for single resource on domain",
+ "enabled": false,
+ "description": "This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.",
+ "alertRuleTemplateName": "4d500e6d-c984-43a3-9f39-7edec8dcc04d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 263651917cda741377a1d247c2df06906c84367c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:39 +0000
Subject: [PATCH 276/375] Exported file: SOURGUM Actor IOC - July
2021.json.json
---
.../SOURGUM Actor IOC - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
new file mode 100644
index 00000000..67959ccf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\n (union isfuzzy=true\n(CommonSecurityLog\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\n| parse Message with * '(' DNSName ')' *\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\n| extend Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\n),\n(DnsEvents\n| where Name in~ (domains)\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DNSName = Name, Host = Computer , Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where Image has_any (file_path1) or Image has_any (file_path3)\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'\n), \n(DeviceNetworkEvents\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = 'SOURGUM IOC detected', UrlCustomEntity =RemoteUrl\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = 'SOURGUM IOC detected'\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"]\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source), Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n),\n(DeviceRegistryEvents\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceProcessEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceFileEvents\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend CommandLine = InitiatingProcessCommandLine, Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SOURGUM Actor IOC - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
+ "alertRuleTemplateName": "94749332-1ad9-49dd-a5ab-5ff2170788fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b1232727595aa14af2c69b89a10e36b665057c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:39 +0000
Subject: [PATCH 277/375] Exported file: SSH - Potential Brute Force.json.json
---
.../SSH - Potential Brute Force.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
diff --git a/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
new file mode 100644
index 00000000..97991578
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 15;\nSyslog\n| where SyslogMessage contains \"Failed password for invalid user\"\n| where ProcessName =~ \"sshd\" \n| parse kind=relaxed SyslogMessage with * \"invalid user\" user \" from \" ip \" port\" port \" ssh2\"\n| project user, ip, port, SyslogMessage, EventTime\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\n| where PerHourCount > threshold\n| mvexpand EventTimes\n| extend EventTimes = tostring(EventTimes) \n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\n| extend UserList = tostring(UserList) \n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SSH - Potential Brute Force",
+ "enabled": false,
+ "description": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.",
+ "alertRuleTemplateName": "e1ce0eab-10d1-4aae-863f-9a383345ba88"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fc0e38588bf4dd086130f3455994efef1ca675fd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:40 +0000
Subject: [PATCH 278/375] Exported file: SUNBURST and SUPERNOVA backdoor hashes
(Normalized File Events).json.json
---
...kdoor hashes (Normalized File Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
new file mode 100644
index 00000000..49eef9f4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nimFileEvent\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = User, \n HostCustomEntity = DvcHostname,\n FileHashCustomEntity = TargetFileMD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "bc5ffe2a-84d6-48fe-bc7b-1055100469bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 843b1dc3559ff530848539035fe18ce29fc62391 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:41 +0000
Subject: [PATCH 279/375] Exported file: SUNBURST and SUPERNOVA backdoor
hashes.json.json
---
...UNBURST and SUPERNOVA backdoor hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
new file mode 100644
index 00000000..93fabf1d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nDeviceFileEvents\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "a3c144f9-8051-47d4-ac29-ffb0c312c910"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ee6b2ed227a04cd4547af0b5c372a89408950bef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:42 +0000
Subject: [PATCH 280/375] Exported file: SUNBURST network beacons.json.json
---
.../SUNBURST network beacons.json | 96 +++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST network beacons.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST network beacons.json b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
new file mode 100644
index 00000000..be9feb5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
@@ -0,0 +1,96 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\",\"thedoccloud.com\",\"deftsecurity.com\"]);\nDeviceNetworkEvents\n| where ActionType == \"ConnectionSuccess\"\n| where RemoteUrl in(SunburstURL)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = InitiatingProcessMD5, \n HashAlgorithm = 'MD5',\n URLCustomEntity = RemoteUrl,\n IPCustomEntity = RemoteIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST network beacons",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "ce1e7025-866c-41f3-9b08-ec170e05e73e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 67d1b102a16aa38ca7ba005370aafc797b01236c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:42 +0000
Subject: [PATCH 281/375] Exported file: SUNBURST suspicious SolarWinds child
processes (Normalized Process Events).json.json
---
...processes (Normalized Process Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
new file mode 100644
index 00000000..19087bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nimProcessCreate\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\n| where not(Process has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = ActorUsername,\n HostCustomEntity = User,\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)'",
+ "alertRuleTemplateName": "631d02df-ab51-46c1-8d72-32d0cfec0720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 74402ed7f8cb22d24ac64552b065ade5306eba2b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:43 +0000
Subject: [PATCH 282/375] Exported file: SUNBURST suspicious SolarWinds child
processes.json.json
---
...suspicious SolarWinds child processes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
new file mode 100644
index 00000000..ba56da8a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\n| where not(FolderPath has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "4a3073ac-7383-48a9-90a8-eb6716183a54"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3c9057591ed79afb00085b73a6ece3ed857dbc95 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:44 +0000
Subject: [PATCH 283/375] Exported file: SUNSPOT log file creation.json.json
---
.../SUNSPOT log file creation.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
new file mode 100644
index 00000000..5010a7fc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT log file creation",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9e5f7b21b6f5df660c722c2a23cdeb934ed74267 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:44 +0000
Subject: [PATCH 284/375] Exported file: SUNSPOT malware hashes.json.json
---
.../SUNSPOT malware hashes.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
new file mode 100644
index 00000000..ae9509a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT malware hashes",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429"
+ }
+ }
+ ]
+}
\ No newline at end of file
From aa439164612730d7353826ef448f6da6ca89df16 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:45 +0000
Subject: [PATCH 285/375] Exported file: SUPERNOVA webshell.json.json
---
.../SUPERNOVA webshell.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
diff --git a/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
new file mode 100644
index 00000000..58eaf929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nW3CIISLog\n| where csMethod == 'GET'\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\n| where csUriStem contains \"logoimagehandler.ashx\"\n| where csUriQuery contains \"codes\" and csUriQuery contains \"clazz\" and csUriQuery contains \"method\" and csUriQuery contains \"args\"\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "SUPERNOVA webshell",
+ "enabled": false,
+ "description": "Identifies SUPERNOVA webshell based on W3CIISLog data.\n References:\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/",
+ "alertRuleTemplateName": "2acc91c3-17c2-4388-938e-4eac2d5894e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 05057e85fa5a15078bb82dc3d54a3a25b01b0d79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:46 +0000
Subject: [PATCH 286/375] Exported file: Security Event log cleared.json.json
---
.../Security Event log cleared.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Event log cleared.json
diff --git a/SentinelExported-AnalyticsRule/Security Event log cleared.json b/SentinelExported-AnalyticsRule/Security Event log cleared.json
new file mode 100644
index 00000000..de1e55cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Event log cleared.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Event log cleared",
+ "enabled": false,
+ "description": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
+ "alertRuleTemplateName": "80da0a8f-cfe1-4cd0-a895-8bc1771a720e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9bc244b84f7bef34eb1e323972c5be11c984999e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:47 +0000
Subject: [PATCH 287/375] Exported file: Security Service Registry ACL
Modification.json.json
---
...ity Service Registry ACL Modification.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
diff --git a/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
new file mode 100644
index 00000000..88f3794a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet servicelist = dynamic(['Services\\\\HealthService', 'Services\\\\Sense', 'Services\\\\WinDefend', 'Services\\\\MsSecFlt', 'Services\\\\DiagTrack', 'Services\\\\SgrmBroker', 'Services\\\\SgrmAgent', 'Services\\\\AATPSensorUpdater' , 'Services\\\\AATPSensor', 'Services\\\\mpssvc']);\nlet filename = dynamic([\"subinacl.exe\",'SetACL.exe']);\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\nlet timeframe = 1d;\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4670\n| where ObjectType == 'Key'\n| where ObjectName has_any (servicelist)\n| parse EventData with * 'OldSd\">' OldSd \"<\" *\n| parse EventData with * 'NewSd\">' NewSd \"<\" *\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\n),\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4688\n| extend ProcessName = tostring(split(NewProcessName, '\\\\')[-1])\n| where ProcessName in~ (filename) \n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessFileName in~ (filename) \n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Service Registry ACL Modification",
+ "enabled": false,
+ "description": "Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \n Reference on guidance for enabling registry auditing:\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\n - https://github.com/OTRF/Set-AuditRule \n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0",
+ "alertRuleTemplateName": "473d57e6-f787-435c-a16b-b38b51fa9a4b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e62d6f711d58d87a94052aa92085bf9b01e2bb0f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:47 +0000
Subject: [PATCH 288/375] Exported file: SecurityEvent - Multiple
authentication failures followed by a success.json.json
---
...cation failures followed by a success.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
diff --git a/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
new file mode 100644
index 00000000..a237d536
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 6h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID == 4624 or EventID == 4625\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 5 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by Account asc, TimeGenerated asc\n| serialize \n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome \n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mvexpand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SecurityEvent - Multiple authentication failures followed by a success",
+ "enabled": false,
+ "description": "Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\npossible mis-configuration of a service account within an environment.\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a success for an account within 1 hour to surface an alert.",
+ "alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d390a27433d6124a7bfd064c7cdecf2320284baf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:48 +0000
Subject: [PATCH 289/375] Exported file: Sensitive Azure Key Vault
operations.json.json
---
.../Sensitive Azure Key Vault operations.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
diff --git a/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
new file mode 100644
index 00000000..7c838929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet SensitiveOperationList = dynamic(\n[\"VaultDelete\", \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", \"KeyBackup\"]);\nAzureDiagnostics\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\" \n| where OperationName in~ (SensitiveOperationList) \n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Sensitive Azure Key Vault operations",
+ "enabled": false,
+ "description": "Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \nAny Backup operations should match with expected scheduled backup activity.",
+ "alertRuleTemplateName": "d6491be0-ab2d-439d-95d6-ad8ea39277c5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e163b0b57bdd219975a2aef004b04e1b22f9236a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:49 +0000
Subject: [PATCH 290/375] Exported file: Several deny actions
registered.json.json
---
.../Several deny actions registered.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Several deny actions registered.json
diff --git a/SentinelExported-AnalyticsRule/Several deny actions registered.json b/SentinelExported-AnalyticsRule/Several deny actions registered.json
new file mode 100644
index 00000000..780cdb88
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Several deny actions registered.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1;\nAzureDiagnostics\n | where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n | extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n | extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n | extend msg_a = split(msg_s_replaced1,\" \")\n | extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\n | where action == \"Deny\"\n | extend url = iff(destIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",destIp)\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\n | where count_ >= [\"threshold\"]\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Several deny actions registered",
+ "enabled": false,
+ "description": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.",
+ "alertRuleTemplateName": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cc26124c612bb484f8bd1aa921587659bea56a47 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:50 +0000
Subject: [PATCH 291/375] Exported file: SharePointFileOperation via devices
with previously unseen user agents.json.json
---
...es with previously unseen user agents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
new file mode 100644
index 00000000..890b9771
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where TimeGenerated > ago(endtime)\n| where isnotempty(UserAgent)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\n| order by recentCount desc, UserAgent\n// More than 5 downloads/uploads from a new user agent today\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated > ago(endtime) \n| where RecordType =~ szSharePointFileOperation \n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| join kind= inner (RareUserAgent)\non UserAgent, RecordType, Operation \n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via devices with previously unseen user agents",
+ "enabled": false,
+ "description": "Identifies if the number of documents uploaded or downloaded from device(s) associated\nwith a previously unseen user agent exceeds a threshold (default is 5).",
+ "alertRuleTemplateName": "5dd76a87-9f87-4576-bab3-268b0e2b338b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2a9574f09c826b023188811940aa18c5c69279fe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:50 +0000
Subject: [PATCH 292/375] Exported file: SharePointFileOperation via previously
unseen IPs.json.json
---
...leOperation via previously unseen IPs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
new file mode 100644
index 00000000..379ae7e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\n// More than 50 downloads/uploads from a new IP\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated >= ago(endtime) \n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via previously unseen IPs",
+ "enabled": false,
+ "description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 50).",
+ "alertRuleTemplateName": "4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 10e7bb69b2961382cf2904347f3bf8ba77994892 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:51 +0000
Subject: [PATCH 293/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
new file mode 100644
index 00000000..0124366b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/595b910c-156b-4a20-996e-06c50a217133')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/595b910c-156b-4a20-996e-06c50a217133')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n , applicationsTargeted = dcount(TargetAppName)\n , applicationSet = make_set(TargetAppName) \n by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n imAuthentication\n | where EventResult=='Success'\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e799fc0cd47f6630398c7a18a291c1f66382e5ed Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:52 +0000
Subject: [PATCH 294/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts.json.json
---
...attempt sign-ins to disabled accounts.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
new file mode 100644
index 00000000..e4ffdb36
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \napplicationSet = make_set(AppDisplayName) by IPAddress, Type\n| order by disabledAccountLoginAttempts desc\n| join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n table(tableName)\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n) on IPAddress \n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a809e74bebd4ff50aa2e455e2b52030db72e7baa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:53 +0000
Subject: [PATCH 295/375] Exported file: Solorigate Defender
Detections.json.json
---
.../Solorigate Defender Detections.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
new file mode 100644
index 00000000..d2be50b9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where ThreatName has \"Solorigate\"\n| extend HostCustomEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.HostCustomEntity\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Defender Detections",
+ "enabled": false,
+ "description": "Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.",
+ "alertRuleTemplateName": "e70fa6e0-796a-4e85-9420-98b17b0bb749"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7ebb1e817ad363081299edd9f160cdf87ba16c0d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:54 +0000
Subject: [PATCH 296/375] Exported file: Solorigate Domains Found in VM
Insights.json.json
---
...lorigate Domains Found in VM Insights.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
new file mode 100644
index 00000000..9ca5d68d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Domains Found in VM Insights",
+ "enabled": false,
+ "description": "Identifies connections to Solorigate-related DNS records based on VM insights data",
+ "alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bff9ef33c3d3186ecd69dc4753c91f703c14b200 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:55 +0000
Subject: [PATCH 297/375] Exported file: Solorigate Named Pipe.json.json
---
.../Solorigate Named Pipe.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
new file mode 100644
index 00000000..3567c779
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n(union isfuzzy=true\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend PipeName = column_ifexists(\"PipeName\", \"\")\n| extend Account = UserName\n),\n(\n SecurityEvent\n| where EventID == '5145'\n// %%4418 looks for presence of CreatePipeInstance value \n| where AccessList has '%%4418' \n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Named Pipe",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
+ "alertRuleTemplateName": "11b4c19d-2a79-4da3-af38-b067e1273dee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 561a756240a4e0365f055545df19bb75345764af Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:55 +0000
Subject: [PATCH 298/375] Exported file: Solorigate Network Beacon.json.json
---
.../Solorigate Network Beacon.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
new file mode 100644
index 00000000..5d0d4c2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns (domain_has_any=domains)\n | extend DNSName = DnsQuery\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Network Beacon",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1",
+ "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ead27948790c42fefeefd3a5a8bee85d3e0b0b2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:56 +0000
Subject: [PATCH 299/375] Exported file: Squid proxy events for ToR
proxies.json.json
---
.../Squid proxy events for ToR proxies.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
new file mode 100644
index 00000000..54cd03c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == \"200\"\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events for ToR proxies",
+ "enabled": false,
+ "description": "Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "90d3f6ec-80fb-48e0-9937-2c70c9df9bad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9322159f22f323e561135284b4b3d420d6ca9788 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:57 +0000
Subject: [PATCH 300/375] Exported file: Squid proxy events related to mining
pools.json.json
---
... proxy events related to mining pools.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
new file mode 100644
index 00000000..bc4e34de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \"xmrget.com\", \n\"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \"supportxmr.com\",\n\"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \"gntl.co.uk\", \"semipool.com\", \n\"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \"coinpoolit.webhop.me\", \"nanopool.org\", \n\"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \"extrmepool.org\", \"webcoin.me\", \n\"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \"dwarfpool.com\", \"hash-to-coins.com\", \n\"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \"moneropool.ru\", \"cryptonotepool.org.uk\",\n\"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\",\n\"shscrypto.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == '200'\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events related to mining pools",
+ "enabled": false,
+ "description": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "80733eb7-35b2-45b6-b2b8-3c51df258206"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4725f04251df4782db00dd170a6640ff60686ff6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:58 +0000
Subject: [PATCH 301/375] Exported file: Starting or Stopping HealthService to
Avoid Detection.json.json
---
...ping HealthService to Avoid Detection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
diff --git a/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
new file mode 100644
index 00000000..6ff4834f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4656\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\n| extend ObjectServer = column_ifexists('ObjectServer', \"\"), ObjectType = column_ifexists('ObjectType', \"\"), ObjectName = column_ifexists('ObjectName', \"\")\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\n| where ObjectServer =~ \"SC Manager\" and ObjectType =~ \"SERVICE OBJECT\" and ObjectName =~ \"HealthService\"\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \"NU.\"\n| join kind=leftouter (\n SecurityEvent\n | where EventID == 4624\n) on TargetLogonId\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Starting or Stopping HealthService to Avoid Detection",
+ "enabled": false,
+ "description": "This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\n The query requires a SACL to audit for access request to the service.",
+ "alertRuleTemplateName": "2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ab460337013a9f2edb28769a9a1d27e3767d5e11 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:59 +0000
Subject: [PATCH 302/375] Exported file: Successful SSH brute force
attack.json.json
---
.../Successful SSH brute force attack.json | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
diff --git a/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
new file mode 100644
index 00000000..f5336b5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
@@ -0,0 +1,104 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "Usage\r\n| extend User1 = \"Bob\"\r\n| extend User2 = \"Bill\"\r\n| extend Host1 = \"DC01\"\r\n| extend Host2 = \"Web-DMZ01\"\r\n| extend IP = \"185.32.177.53\"\r\n| take 1\r\n",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": true,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host1"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host2"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User1"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User2"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IP"
+ }
+ ]
+ }
+ ],
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": null,
+ "alertDescriptionFormat": "Analysis of host data has detected a successful brute force attack. The IP {{IP}} was seen making multiple login attempts. This means that the host may be compromised and controlled by a malicious actor.",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful SSH brute force attack",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b900beeb05e55d9f7fcc5ccfec352a0383700f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:18:59 +0000
Subject: [PATCH 303/375] Exported file: Successful logon from IP and failure
from a different IP.json.json
---
...om IP and failure from a different IP.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
diff --git a/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
new file mode 100644
index 00000000..4b8645f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet logonDiff = 10m;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where ResultType == \"0\" \n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1]), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\") \n | where ResultDescription !~ \"Other\" \n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\n) on UserPrincipalName, AppDisplayName \n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful logon from IP and failure from a different IP",
+ "enabled": false,
+ "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.",
+ "alertRuleTemplateName": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9e0b6e04faaaf4990f4065dafad95169eddbb617 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:00 +0000
Subject: [PATCH 304/375] Exported file: Suspicious Resource
deployment.json.json
---
.../Suspicious Resource deployment.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
new file mode 100644
index 00000000..5f4e2cf8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet szOperationNames = dynamic([\"Microsoft.Compute/virtualMachines/write\", \"Microsoft.Resources/deployments/write\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| where TimeGenerated > ago(endtime)\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Resource deployment",
+ "enabled": false,
+ "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
+ "alertRuleTemplateName": "9fb57e58-3ed8-4b89-afcf-c8e786508b1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4e1ba413c4ae404779861b0951155459eb9b4754 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:01 +0000
Subject: [PATCH 305/375] Exported file: Suspicious Service Principal creation
activity.json.json
---
...s Service Principal creation activity.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
new file mode 100644
index 00000000..dbc7eb1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let timeframe = 60m;\nlet lookback = 10m;\nlet account_created =\nAuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\nAADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\nAuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\nAuditLogs\n | where OperationName contains \"Update application - Certificates and secrets management\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\nAuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n |summarize make_list(AssignedRoles) by AppID;\naccount_created \n | join kind= inner (account_activity) on AppID, AppID \n | join kind= inner (account_deleted) on AppID, AppID \n | join kind= inner (account_credentials) on AppID, AppID \n | join kind= inner (roles_assigned) on AppID, AppID\n | where deletionTime - creationTime < lookback\n | where tolong(deletionTime - creationTime) >= 0\n | where creationTime > ago(timeframe)\n | extend AliveTime = deletionTime - creationTime\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "PrivilegeEscalation",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Service Principal creation activity",
+ "enabled": false,
+ "description": "This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)",
+ "alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 49d6cbdbd4bad274ada68cef4de7dc53fcc4ab30 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:02 +0000
Subject: [PATCH 306/375] Exported file: Suspicious application consent for
offline access.json.json
---
...pplication consent for offline access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
new file mode 100644
index 00000000..7478c516
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"offline_access\" and ConsentFull contains \"Files.Read\" or ConsentFull contains \"Mail.Read\" or ConsentFull contains \"Notes.Read\" or ConsentFull contains \"ChannelMessage.Read\" or ConsentFull contains \"Chat.Read\" or ConsentFull contains \"TeamsActivity.Read\" or ConsentFull contains \"Group.Read\" or ConsentFull contains \"EWS.AccessAsUser.All\" or ConsentFull contains \"EAS.AccessAsUser.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent for offline access",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "3533f74c-9207-4047-96e2-0eb9383be587"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 828ca6cabeab6ccaaef7b1731f39e9c9ffef28e1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:03 +0000
Subject: [PATCH 307/375] Exported file: Suspicious application consent similar
to O365 Attack Toolkit.json.json
---
...onsent similar to O365 Attack Toolkit.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
new file mode 100644
index 00000000..b43857d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"mailboxsettings\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"contacts.read\" and ConsentFull contains \"user.read\" and ConsentFull contains \"mail.read\" and ConsentFull contains \"notes.read.all\" and ConsentFull contains \"mailboxsettings.readwrite\" and ConsentFull contains \"Files.ReadWrite.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", tostring(AdditionalDetails[0].value), \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "f948a32f-226c-4116-bddd-d95e91d97eb9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 90f0f7d2b1e58a1eea156a086383e15746f2283c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:04 +0000
Subject: [PATCH 308/375] Exported file: Suspicious application consent similar
to PwnAuth.json.json
---
...pplication consent similar to PwnAuth.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
new file mode 100644
index 00000000..cd0527f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"user.read\" and ConsentFull contains \"offline_access\" and ConsentFull contains \"mail.readwrite\" and ConsentFull contains \"mail.send\" and ConsentFull contains \"files.read.all\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to PwnAuth",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "39198934-62a0-4781-8416-a81265c03fd6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f84051d451da1f413866575daff8659b4777f2fa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:04 +0000
Subject: [PATCH 309/375] Exported file: Suspicious granting of permissions to
an account.json.json
---
...granting of permissions to an account.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
new file mode 100644
index 00000000..e8e3617d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| where OperationNameValue =~ \"microsoft.authorization/roleassignments/write\";\ncreateRoleAssignmentActivity \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\n) on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious granting of permissions to an account",
+ "enabled": false,
+ "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.",
+ "alertRuleTemplateName": "b2c15736-b9eb-4dae-8b02-3016b6a45a32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6de4d44483c4b4c69498b13c4d0182b8fe0c9e24 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:05 +0000
Subject: [PATCH 310/375] Exported file: Suspicious link sharing
pattern.json.json
---
.../Suspicious link sharing pattern.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
new file mode 100644
index 00000000..5cc525ae
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 3; \nZoomLogs \n| where Event =~ \"chat_message.sent\" \n| extend Channel = tostring(parse_json(ChatEvents).Channel) \n| extend Message = tostring(parse_json(ChatEvents).Message) \n| where Message matches regex \"http(s?):\\\\/\\\\/\" \n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\n| extend ChannelCount = arraylength(Channels) \n| where ChannelCount > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious link sharing pattern",
+ "enabled": false,
+ "description": "Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.",
+ "alertRuleTemplateName": "1218175f-c534-421c-8070-5dcaabf28067"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 166378b23d5e3e57e618f8c4f834c847f7c99112 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:06 +0000
Subject: [PATCH 311/375] Exported file: Suspicious number of resource creation
or deployment activities.json.json
---
...rce creation or deployment activities.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
new file mode 100644
index 00000000..96915b2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet szOperationNames = dynamic([\"microsoft.compute/virtualMachines/write\", \"microsoft.resources/deployments/write\"]);\nlet starttime = 7d;\nlet endtime = 1d;\nAzureActivity\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2\n| join kind=leftsemi (\n// Last day's activity is anomalous\nAzureActivity\n| where TimeGenerated >= startofday(ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2 \n) on Caller, CallerIpAddress \n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious number of resource creation or deployment activities",
+ "enabled": false,
+ "description": "Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\nThe start of the day is considered 12am UTC time.",
+ "alertRuleTemplateName": "361dd1e3-1c11-491e-82a3-bb2e44ac36ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d57311f4e2fbc54c30576a2331eef20224a018c6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:07 +0000
Subject: [PATCH 312/375] Exported file: TEARDROP memory-only dropper.json.json
---
.../TEARDROP memory-only dropper.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
diff --git a/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
new file mode 100644
index 00000000..846ccdaf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "TEARDROP memory-only dropper",
+ "enabled": false,
+ "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "738702fd-0a66-42c7-8586-e30f0583f8fe"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 26545c83e75b028fa34dc9ac498bd7eaca58c8f5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:07 +0000
Subject: [PATCH 313/375] Exported file: THALLIUM domains included in DCU
takedown.json.json
---
...LIUM domains included in DCU takedown.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
diff --git a/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
new file mode 100644
index 00000000..06378b01
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost \n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "THALLIUM domains included in DCU takedown",
+ "enabled": false,
+ "description": "THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ",
+ "alertRuleTemplateName": "70b12a3b-4896-42cb-910c-5ffaf8d7987d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0cbb25acec6e2d2bba3f3fda9b8ab170c2f389d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:08 +0000
Subject: [PATCH 314/375] Exported file: TI map Domain entity to
CommonSecurityLog.json.json
---
...ap Domain entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
new file mode 100644
index 00000000..9f942723
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "dd0a6029-ecef-4507-89c4-fc355ac52111"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2dcc78fd7314647825917641325c7a24e7bd93e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:09 +0000
Subject: [PATCH 315/375] Exported file: TI map Domain entity to
DnsEvent.json.json
---
.../TI map Domain entity to DnsEvent.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
new file mode 100644
index 00000000..eeb3f542
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.Name\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to DnsEvent",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvent table from any Domain IOC from TI",
+ "alertRuleTemplateName": "85aca4d1-5d15-4001-abd9-acb86ca1786a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0d852006cf99418d168a5c2cd05d063de8cc82e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:10 +0000
Subject: [PATCH 316/375] Exported file: TI map Domain entity to
PaloAlto.json.json
---
.../TI map Domain entity to PaloAlto.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
new file mode 100644
index 00000000..32541d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to PaloAlto",
+ "enabled": false,
+ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "ec21493c-2684-4acd-9bc2-696dbad72426"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 452e826720d1c70b718d282d848b83a059e255ee Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:10 +0000
Subject: [PATCH 317/375] Exported file: TI map Domain entity to
SecurityAlert.json.json
---
...TI map Domain entity to SecurityAlert.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
new file mode 100644
index 00000000..71a2d372
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n //Extract domain patterns from message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\", 1, tolower(Entities))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column extract hostname and IP address\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n) on $left.DomainName==$right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
+ "alertRuleTemplateName": "87890d78-3e05-43ec-9ab9-ba32f4e01250"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5fd5420226eb96c106e574784dcf3c925310e3f0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:11 +0000
Subject: [PATCH 318/375] Exported file: TI map Domain entity to
Syslog.json.json
---
.../TI map Domain entity to Syslog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
new file mode 100644
index 00000000..45bfae87
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to Syslog",
+ "enabled": false,
+ "description": "Identifies a match in Syslog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f5416a33d1acb7f57671bff8caf296e01edf0be Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:12 +0000
Subject: [PATCH 319/375] Exported file: TI map Email entity to
AzureActivity.json.json
---
.../TI map Email entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
new file mode 100644
index 00000000..87307357
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \nResourceGroup, SubscriptionId\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "cca3b4d9-ac39-4109-8b93-65bb284003e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f3afc69f01286c39d754539d3b8aedaecb5bbcea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:13 +0000
Subject: [PATCH 320/375] Exported file: TI map Email entity to
CommonSecurityLog.json.json
---
...map Email entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
new file mode 100644
index 00000000..dd6cb3d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
+ "alertRuleTemplateName": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c5344cecae25d8bea41d72f4a0e45fa49bab784f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:13 +0000
Subject: [PATCH 321/375] Exported file: TI map Email entity to
OfficeActivity.json.json
---
...TI map Email entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
new file mode 100644
index 00000000..1f3aee6d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 92933c0df7aaecc7dc2d58971561e45235ea7e37 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:14 +0000
Subject: [PATCH 322/375] Exported file: TI map Email entity to
SecurityAlert.json.json
---
.../TI map Email entity to SecurityAlert.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
new file mode 100644
index 00000000..e93dc3e4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert \n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
+ "alertRuleTemplateName": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f6128e21c48729337f33b22c439e6d1a793c9df1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:15 +0000
Subject: [PATCH 323/375] Exported file: TI map Email entity to
SecurityEvent.json.json
---
.../TI map Email entity to SecurityEvent.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
new file mode 100644
index 00000000..9040d0eb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend TargetUserName = tolower(TargetUserName)\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\n | extend SecurityEvent_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityEvent",
+ "enabled": false,
+ "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
+ "alertRuleTemplateName": "2fc5d810-c9cc-491a-b564-841427ae0e50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cca34057dcc48d97ebc3600de7c242cd0b792291 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:16 +0000
Subject: [PATCH 324/375] Exported file: TI map Email entity to
SigninLogs.json.json
---
.../TI map Email entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
new file mode 100644
index 00000000..90b58046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
+ "alertRuleTemplateName": "30fa312c-31eb-43d8-b0cc-bcbdfb360822"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4382952fbdf8c22fa53b3a64ef4379dbb09c93d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:16 +0000
Subject: [PATCH 325/375] Exported file: TI map File Hash to CommonSecurityLog
Event.json.json
---
... File Hash to CommonSecurityLog Event.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
new file mode 100644
index 00000000..87ccc2ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
+ "alertRuleTemplateName": "5d33fc63-b83b-4913-b95e-94d13f0d379f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fec35ea53dfe7714fb78a8503eb404e36a6a45f2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:17 +0000
Subject: [PATCH 326/375] Exported file: TI map File Hash to Security
Event.json.json
---
.../TI map File Hash to Security Event.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
new file mode 100644
index 00000000..ea816559
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to Security Event",
+ "enabled": false,
+ "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
+ "alertRuleTemplateName": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f4d9d1358864c643886bcd904b6c1bcc9723e39 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:18 +0000
Subject: [PATCH 327/375] Exported file: TI map IP entity to
AWSCloudTrail.json.json
---
.../TI map IP entity to AWSCloudTrail.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
new file mode 100644
index 00000000..fb100404
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "enabled": false,
+ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
+ "alertRuleTemplateName": "f110287e-1358-490d-8147-ed804b328514"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a1738ffa913532cb2a9ff09337d1867bf02ddfdb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:19 +0000
Subject: [PATCH 328/375] Exported file: TI map IP entity to
AppServiceHTTPLogs.json.json
---
...I map IP entity to AppServiceHTTPLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
new file mode 100644
index 00000000..1ecbb4dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n // renaming time column so it is clear the log this came from\n | extend AppService_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CIp\n| where AppService_TimeGenerated < ExpirationDateTime\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "enabled": false,
+ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f9949656-473f-4503-bf43-a9d9890f7d08"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 02c85fc3b9d03f4fb52e39fe75422af2adfda561 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:20 +0000
Subject: [PATCH 329/375] Exported file: TI map IP entity to Azure Key Vault
logs.json.json
---
...map IP entity to Azure Key Vault logs.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
new file mode 100644
index 00000000..30687ab8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n)\non $left.TI_ipEntity == $right.ClientIP\n| where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n| extend timestamp = KeyVaultEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure Key Vault logs",
+ "enabled": false,
+ "description": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI",
+ "alertRuleTemplateName": "57c7e832-64eb-411f-8928-4133f01f4a25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From adbe7ec614f50fdd99b30fa53526b8feee993828 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:20 +0000
Subject: [PATCH 330/375] Exported file: TI map IP entity to Azure SQL Security
Audit Events.json.json
---
...ty to Azure SQL Security Audit Events.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
new file mode 100644
index 00000000..c6db79c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\"), Action = column_ifexists(\"action_name_s\", \"Not Available\"), \n Application = column_ifexists(\"application_name_s\", \"Not Available\"), HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n)\non $left.TI_ipEntity == $right.ClientIP\n| where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure SQL Security Audit Events",
+ "enabled": false,
+ "description": "Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 88574aaaefd2e27436b82f537da6e2f228d78e35 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:21 +0000
Subject: [PATCH 331/375] Exported file: TI map IP entity to
AzureActivity.json.json
---
.../TI map IP entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
new file mode 100644
index 00000000..3cc5e808
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "2441bce9-02e4-407b-8cc7-7d597f38b8b0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a04f74f3a4a8f79619c1d33816e4c2d5816624cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:22 +0000
Subject: [PATCH 332/375] Exported file: TI map IP entity to
AzureFirewall.json.json
---
.../TI map IP entity to AzureFirewall.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
new file mode 100644
index 00000000..d28e4d71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\n | where isnotempty(RemoteIP)\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where AzureFirewall_TimeGenerated < ExpirationDateTime\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureFirewall",
+ "enabled": false,
+ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
+ "alertRuleTemplateName": "0b904747-1336-4363-8d84-df2710bfe5e7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From daec71c6936feb50a7b6bf9b152edbd7b1f92d26 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:23 +0000
Subject: [PATCH 333/375] Exported file: TI map IP entity to
AzureNetworkAnalytics_CL (NSG Flow Logs).json.json
---
...reNetworkAnalytics_CL (NSG Flow Logs).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
new file mode 100644
index 00000000..aa067349
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == \"A\"\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "enabled": false,
+ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
+ "alertRuleTemplateName": "a4025a76-6490-4e6b-bb69-d02be4b03f07"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5e72685d17a27eebe1807852626fb0e26ceabf42 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:23 +0000
Subject: [PATCH 334/375] Exported file: TI map IP entity to
DnsEvents.json.json
---
.../TI map IP entity to DnsEvents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
new file mode 100644
index 00000000..867984dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to DnsEvents",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "69b7723c-2889-469f-8b55-a2d355ed9c87"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b866e55844da848e556192a2a7aefbd5349616f6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:24 +0000
Subject: [PATCH 335/375] Exported file: TI map IP entity to Duo
Security.json.json
---
.../TI map IP entity to Duo Security.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
new file mode 100644
index 00000000..83f1a1ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Duo Security",
+ "enabled": false,
+ "description": "Identifies a match in DuoSecurity from any IP IOC from TI",
+ "alertRuleTemplateName": "d23ed927-5be3-4902-a9c1-85f841eb4fa1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6243c18ed4130236b1f5855feb669d91e600b4b7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:25 +0000
Subject: [PATCH 336/375] Exported file: TI map IP entity to
GitHub_CL.json.json
---
.../TI map IP entity to GitHub_CL.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
new file mode 100644
index 00000000..09aeb7aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to GitHub_CL",
+ "enabled": false,
+ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI",
+ "alertRuleTemplateName": "aac495a9-feb1-446d-b08e-a1164a539452"
+ }
+ }
+ ]
+}
\ No newline at end of file
From baed79a20bf5de6c333cee7c896aeab0dcfb12eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:26 +0000
Subject: [PATCH 337/375] Exported file: TI map IP entity to
OfficeActivity.json.json
---
.../TI map IP entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
new file mode 100644
index 00000000..78721a0a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "f15370f4-c6fa-42c5-9be4-1d308f40284e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 79fb732e1f0eeff956e24dab7b00d8f4b6c6e8e7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:27 +0000
Subject: [PATCH 338/375] Exported file: TI map IP entity to
SigninLogs.json.json
---
.../TI map IP entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
new file mode 100644
index 00000000..d42c80cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f2eb15bd-8a88-4b24-9281-e133edfba315"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 90df05974c4ddea92d6ab9b31472730537d384eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:27 +0000
Subject: [PATCH 339/375] Exported file: TI map IP entity to
VMConnection.json.json
---
.../TI map IP entity to VMConnection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
new file mode 100644
index 00000000..6144c2fa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| where VMConnection_TimeGenerated < ExpirationDateTime\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to VMConnection",
+ "enabled": false,
+ "description": "Identifies a match in VMConnection from any IP IOC from TI",
+ "alertRuleTemplateName": "9713e3c0-1410-468d-b79e-383448434b2d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d12f1b001506c9f6fbdca4ce9b8b4982eb302025 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:28 +0000
Subject: [PATCH 340/375] Exported file: TI map IP entity to
W3CIISLog.json.json
---
.../TI map IP entity to W3CIISLog.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
new file mode 100644
index 00000000..2d186704
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n // renaming time column so it is clear the log this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.cIP\n| where W3CIISLog_TimeGenerated < ExpirationDateTime\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to W3CIISLog",
+ "enabled": false,
+ "description": "Identifies a match in W3CIISLog from any IP IOC from TI",
+ "alertRuleTemplateName": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c3dd10407ce593108edcf98ca78a69b0c9f58705 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:29 +0000
Subject: [PATCH 341/375] Exported file: TI map IP entity to WireData.json.json
---
.../TI map IP entity to WireData.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
new file mode 100644
index 00000000..a8cbfc13
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n WireData | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(RemoteIP)\n // renaming time column so it is clear the log this came from\n | extend WireData_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where WireData_TimeGenerated < ExpirationDateTime\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to WireData",
+ "enabled": false,
+ "description": "Identifies a match in WireData from any IP IOC from TI",
+ "alertRuleTemplateName": "a50766a7-0674-4ccb-8845-15dc55a80ba1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f6f26a2fcc56968ee824c7209701efbb77b0496a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:30 +0000
Subject: [PATCH 342/375] Exported file: TI map URL entity to
AuditLogs.json.json
---
.../TI map URL entity to AuditLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
new file mode 100644
index 00000000..0db2b994
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to AuditLogs",
+ "enabled": false,
+ "description": "Identifies a match in AuditLogs from any URL IOC from TI",
+ "alertRuleTemplateName": "712fab52-2a7d-401e-a08c-ff939cc7c25e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b8ca73ba25c2df25e3428ca28e03a528d5e4f984 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:30 +0000
Subject: [PATCH 343/375] Exported file: TI map URL entity to OfficeActivity
data.json.json
---
...map URL entity to OfficeActivity data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
new file mode 100644
index 00000000..03f38954
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to OfficeActivity data",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity data from any URL IOC from TI",
+ "alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 430a7f59df997333f58fbd1ef4319886bf82f164 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:31 +0000
Subject: [PATCH 344/375] Exported file: TI map URL entity to PaloAlto
data.json.json
---
.../TI map URL entity to PaloAlto data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
new file mode 100644
index 00000000..c1250d23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to PaloAlto data",
+ "enabled": false,
+ "description": "Identifies a match in PaloAlto data from any URL IOC from TI",
+ "alertRuleTemplateName": "106813db-679e-4382-a51b-1bfc463befc3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cef2fb17ba01fdca77a79545fc3699f6825d451f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:32 +0000
Subject: [PATCH 345/375] Exported file: TI map URL entity to SecurityAlert
data.json.json
---
... map URL entity to SecurityAlert data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
new file mode 100644
index 00000000..1349ea09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,Entities)\n // We only want alerts that actually contain URL data\n | where isnotempty(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to SecurityAlert data",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert data from any URL IOC from TI",
+ "alertRuleTemplateName": "f30a47c1-65fb-42b1-a7f4-00941c12550b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9af96cb385a2ae38eec0895cfad9a4a0226454c9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:33 +0000
Subject: [PATCH 346/375] Exported file: TI map URL entity to Syslog
data.json.json
---
.../TI map URL entity to Syslog data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
new file mode 100644
index 00000000..1d5cd75b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to Syslog data",
+ "enabled": false,
+ "description": "Identifies a match in Syslog data from any URL IOC from TI",
+ "alertRuleTemplateName": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2a460563098ff72f6491489c7053c0745771ffde Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:34 +0000
Subject: [PATCH 347/375] Exported file: Threats detected by Eset.json.json
---
.../Threats detected by Eset.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Threats detected by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Threats detected by Eset.json b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
new file mode 100644
index 00000000..f18c55d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "CredentialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Threats detected by Eset",
+ "enabled": false,
+ "description": "Escalates threats detected by Eset.",
+ "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0742260759552cb076a93f1427d5cdd8914fce8e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:34 +0000
Subject: [PATCH 348/375] Exported file: Time series anomaly detection for
total volume of traffic.json.json
---
...detection for total volume of traffic.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
new file mode 100644
index 00000000..959377cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet percentotalthreshold = 50;\nlet TimeSeriesData = CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\n// Filtering specific records associated with spikes as outliers\nlet TimeSeriesAlerts=materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\n| extend AnomalyHour = TimeGeneratedHour\n) on AnomalyHour, DeviceVendor\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\n| where PercentTotal > percentotalthreshold\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly detection for total volume of traffic",
+ "enabled": false,
+ "description": "Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "06a9b845-6a95-4432-a78b-83919b28c375"
+ }
+ }
+ ]
+}
\ No newline at end of file
From de5293523e1e0b87e5260387a9ea16a285219e14 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:35 +0000
Subject: [PATCH 349/375] Exported file: Time series anomaly for data size
transferred to public internet.json.json
---
...a size transferred to public internet.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
new file mode 100644
index 00000000..c701785c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet bytessentperhourthreshold = 10;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet TimeSeriesData = (union isfuzzy=true\n(\nVMConnection\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| project TimeGenerated, BytesSent, DeviceVendor\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n),\n(\nCommonSecurityLog\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| project TimeGenerated, SentBytes, DeviceVendor\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n)\n);\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n//Union of all BaseLogs aggregated per hour\nlet BaseLogs = (union isfuzzy=true\n(\nCommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n),\n(\nVMConnection\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n)\n);\n// Join against base logs to retrive records associated with the hour of anomoly\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\n) on DeviceVendor, AnomalyHour | sort by score desc\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly for data size transferred to public internet",
+ "enabled": false,
+ "description": "Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "f2dd4a3a-ebac-4994-9499-1a859938c947"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3d7a4e6ef4fd787e3dbb8961bbb70e2def5f1047 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:36 +0000
Subject: [PATCH 350/375] Exported file: Trust Monitor Event.json.json
---
.../Trust Monitor Event.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Trust Monitor Event.json
diff --git a/SentinelExported-AnalyticsRule/Trust Monitor Event.json b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
new file mode 100644
index 00000000..66054f76
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeframe = ago(5m);\nDuoSecurityTrustMonitor_CL\n| where TimeGenerated >= timeframe\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Trust Monitor Event",
+ "enabled": false,
+ "description": "This query identifies when a new trust monitor event is detected.",
+ "alertRuleTemplateName": "8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3234bdc00234816629c5e2a925d3dcd98fee13b6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:37 +0000
Subject: [PATCH 351/375] Exported file: User Accessed Suspicious URL
Categories.json.json
---
...er Accessed Suspicious URL Categories.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
diff --git a/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
new file mode 100644
index 00000000..079df84a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "User Accessed Suspicious URL Categories",
+ "enabled": false,
+ "description": "Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.",
+ "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e1dfa2c91cef3428a57c2a37ac43c1be767f5957 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:38 +0000
Subject: [PATCH 352/375] Exported file: User Accounts - Sign in Failure due to
CA Spikes.json.json
---
...ts - Sign in Failure due to CA Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
diff --git a/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
new file mode 100644
index 00000000..39dd9a72
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\n| project TimeGenerated, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Accounts - Sign in Failure due to CA Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c4c856cf764694a6a8f557b1d6838a2ffef02701 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:38 +0000
Subject: [PATCH 353/375] Exported file: User Assigned Privileged
Role.json.json
---
.../User Assigned Privileged Role.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
diff --git a/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
new file mode 100644
index 00000000..27d37b55
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "User Assigned Privileged Role",
+ "enabled": false,
+ "description": "Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "050b9b3d-53d0-4364-a3da-1b678b8211ec"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d08c93064324d3f61effd0c7c19e1bd257569605 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:39 +0000
Subject: [PATCH 354/375] Exported file: User Login from Different Countries
within 3 hours.json.json
---
...om Different Countries within 3 hours.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
diff --git a/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
new file mode 100644
index 00000000..0835b8b6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Login from Different Countries within 3 hours",
+ "enabled": false,
+ "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours",
+ "alertRuleTemplateName": "2954d424-f786-4677-9ffc-c24c44c6e7d5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1d3163595c6390baa19a916cc5dbb1fc4f822101 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:40 +0000
Subject: [PATCH 355/375] Exported file: User account added to built in domain
local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
new file mode 100644
index 00000000..721fa067
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nSecurityEvent \n// When MemberName contains '-' this indicates addition of a group to a group\n| where AccountType == \"User\" and MemberName != \"-\"\n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group\n| where EventID in (4728, 4732, 4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\",OU|,CN\") - 3)\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a user account has been added to a privileged built in domain local group or global group \nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.",
+ "alertRuleTemplateName": "a35f2c18-1b97-458f-ad26-e033af18eb99"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d5451c077d390b27643009a31f4c8d12f49b6745 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:41 +0000
Subject: [PATCH 356/375] Exported file: User account created and deleted
within 10 mins.json.json
---
...nt created and deleted within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
new file mode 100644
index 00000000..c2087015
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was created\n| where EventID == 4720\n| where AccountType =~ \"User\"\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was deleted\n | where EventID == 4726\n| where AccountType == \"User\"\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where deletionTime - creationTime < spanoftime\n| extend TimeDelta = deletionTime - creationTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account created and deleted within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "4b93c5af-d20b-4236-b696-a28b8c51407f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77d4d19acc8d4d12e4a4b183ff5d27054df8831a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:41 +0000
Subject: [PATCH 357/375] Exported file: User account enabled and disabled
within 10 mins.json.json
---
...t enabled and disabled within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
new file mode 100644
index 00000000..e20a7721
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was enabled\n| where EventID == 4722\n| where AccountType =~ \"User\"\n| where TargetAccount !hassuffix \"$\"\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was disabled\n | where EventID == 4725\n| where AccountType =~ \"User\"\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where DisableTime - EnableTime < spanoftime\n| extend TimeDelta = DisableTime - EnableTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account enabled and disabled within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "3d023f64-8225-41a2-9570-2bd7c2c4535e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1411a6d5457eb4d0af43f682bba52692e2f063d0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:42 +0000
Subject: [PATCH 358/375] Exported file: User added to Azure Active Directory
Privileged Groups.json.json
---
...re Active Directory Privileged Groups.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
diff --git a/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
new file mode 100644
index 00000000..7ef1fb82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-expand TargetResources\n| extend modProps = parse_json(TargetResources).modifiedProperties\n| mv-expand bagexpansion=array modProps\n| evaluate bag_unpack(modProps)\n| extend displayName = column_ifexists(\"displayName\", \"NotAvailable\"), newValue = column_ifexists(\"newValue\", \"NotAvailable\")\n| where displayName =~ \"Role.WellKnownObjectName\"\n| extend DisplayName = displayName, GroupName = replace('\"','',newValue)\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\n| extend AppId = initByApp.appId, \nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \"not available\"),\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\nUserId = initByUser.id,\nUserIPAddress = initByUser.ipAddress,\nUserRoles = initByUser.roles,\nUserPrincipalName = tostring(initByUser.userPrincipalName),\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \"not available\")\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User added to Azure Active Directory Privileged Groups",
+ "enabled": false,
+ "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+ "alertRuleTemplateName": "4d94d4a9-dc96-410a-8dea-4d4d4584188b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 08a1ac55937915ccb9d2629561d57215a65fb7c6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:43 +0000
Subject: [PATCH 359/375] Exported file: User agent search for log4j
exploitation attempt.json.json
---
...search for log4j exploitation attempt.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
diff --git a/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
new file mode 100644
index 00000000..c379ac60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(imWebSessions\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\n),\n(imNetworkSession\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User agent search for log4j exploitation attempt",
+ "enabled": false,
+ "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
+ "alertRuleTemplateName": "29283b22-a1c0-4d16-b0a9-3460b655a46a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 035627a2fbc49ebe1cfa5149d3b2a6d751a6f46e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:44 +0000
Subject: [PATCH 360/375] Exported file: User joining Zoom meeting from
suspicious timezone.json.json
---
...Zoom meeting from suspicious timezone.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
diff --git a/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
new file mode 100644
index 00000000..4cd66a44
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet schedule_lookback = 14d; \nlet join_lookback = 1d; \n// If you want to whitelist specific timezones include them in a list here\nlet tz_whitelist = dynamic([]);\nlet meetings = ( \nZoomLogs \n| where TimeGenerated >= ago(schedule_lookback) \n| where Event =~ \"meeting.created\" \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \nZoomLogs \n| where TimeGenerated >= ago(join_lookback) \n| where Event =~ \"meeting.participant_joined\" \n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| where JoinedTimeZone !in (tz_whitelist)\n| join (meetings) on MeetingId \n| where SchedTimezone != JoinedTimeZone \n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User joining Zoom meeting from suspicious timezone",
+ "enabled": false,
+ "description": "The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones",
+ "alertRuleTemplateName": "58fc0170-0877-4ea8-a9ff-d805e361cfae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d830619b88539ec06b3bec0f21b05b79589e7489 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:44 +0000
Subject: [PATCH 361/375] Exported file: User login from different countries
within 3 hours (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
new file mode 100644
index 00000000..6bd39a50
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = ago(3h);\nlet threshold = 2;\nimAuthentication\n| where TimeGenerated > timeframe\n| where EventType=='Logon' and EventResult=='Success'\n| where isnotempty(SrcGeoCountry)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\n , NumOfCountries = dcount(SrcGeoCountry)\n by TargetUserId, TargetUsername, TargetUserType\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User login from different countries within 3 hours (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for successful user logins from different countries within 3 hours.\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "09ec8fa2-b25f-4696-bfae-05a7b85d7b9e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 63de8dd6ef630c0cff2a6758dd878cd914da6687 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:45 +0000
Subject: [PATCH 362/375] Exported file: Users searching for VIP user
activity.json.json
---
...Users searching for VIP user activity.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
diff --git a/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
new file mode 100644
index 00000000..cd2e9241
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Users searching for VIP user activity",
+ "enabled": false,
+ "description": "This query monitors for users running Log Analytics queries that contain filters\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.",
+ "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3516cb03e4a3201c326b8698af1c6bc901de9095 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:46 +0000
Subject: [PATCH 363/375] Exported file: Valid Analytic Rule 1.json.json
---
.../Valid Analytic Rule 1.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
diff --git a/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
new file mode 100644
index 00000000..809909b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "SecurityAlert",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": "alert name {{AlertName}}",
+ "alertDescriptionFormat": "DESC test {{Description}}",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "Valid Analytic Rule 1",
+ "enabled": true,
+ "description": "DESCRIPTION CHECK",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From b3156dce3cd3f175da5c86316a7600986f32d270 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:47 +0000
Subject: [PATCH 364/375] Exported file: Vectra AI Detect - Detections with
High Severity.json.json
---
...etect - Detections with High Severity.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
new file mode 100644
index 00000000..5276902f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Detections with High Severity",
+ "enabled": false,
+ "description": "Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.",
+ "alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4cd8bdb447f90affdc47b4ed5e40cda404110f45 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:48 +0000
Subject: [PATCH 365/375] Exported file: Vectra AI Detect - New Campaign
Detected.json.json
---
...tra AI Detect - New Campaign Detected.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
new file mode 100644
index 00000000..efaa9e94
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID contains \"campaign\"\n| where DeviceAction == \"START\"\n| extend reason = extract(\"reason=(.+?)$\", 1, AdditionalExtensions)\n| project-rename vectra_URL = DeviceCustomString4\n| project Activity,SourceHostName, reason, vectra_URL\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - New Campaign Detected",
+ "enabled": false,
+ "description": "Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.",
+ "alertRuleTemplateName": "a34d0338-eda0-42b5-8b93-32aae0d7a501"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 43b29b4e31e57acf3468440e24427f7181183f1a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:48 +0000
Subject: [PATCH 366/375] Exported file: Vectra AI Detect - Suspected
Compromised Account.json.json
---
...etect - Suspected Compromised Account.json | 74 +++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
new file mode 100644
index 00000000..e5c6ffe8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Account",
+ "enabled": false,
+ "description": "Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cc18dff1fbcfdcd614bbb5a767ec247c9b4760be Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:49 +0000
Subject: [PATCH 367/375] Exported file: Vectra AI Detect - Suspected
Compromised Host.json.json
---
...I Detect - Suspected Compromised Host.json | 83 +++++++++++++++++++
1 file changed, 83 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
new file mode 100644
index 00000000..05d83de4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
@@ -0,0 +1,83 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by SourceHostName\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Host",
+ "enabled": false,
+ "description": "Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ed98a47a33c9da826788f9be0a2f81816854e1f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:50 +0000
Subject: [PATCH 368/375] Exported file: Vectra AI Detect - Suspicious
Behaviors.json.json
---
...ctra AI Detect - Suspicious Behaviors.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
new file mode 100644
index 00000000..af7df314
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\" \n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename triaged = DeviceCustomString5\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity , Activity\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspicious Behaviors",
+ "enabled": false,
+ "description": "Create an incident for each new malicious behavior detected by Vectra Detect. \nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.",
+ "alertRuleTemplateName": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From def00822563545e0484ea9d0d3deb9a7460a8a58 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:51 +0000
Subject: [PATCH 369/375] Exported file: Vulnerable Machines related to OMIGOD
CVE-2021-38647.json.json
---
...ines related to OMIGOD CVE-2021-38647.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
new file mode 100644
index 00000000..2f384871
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+ "alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7d655870e52ab57a9441e3c60972fbba2e7d5b79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:52 +0000
Subject: [PATCH 370/375] Exported file: Vulnerable Machines related to log4j
CVE-2021-44228.json.json
---
...hines related to log4j CVE-2021-44228.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
new file mode 100644
index 00000000..7586f07a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271",
+ "alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b0f7b16c8cabdafd69efd4e66fbd42e24cff1d4a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:52 +0000
Subject: [PATCH 371/375] Exported file: Wazuh - Large Number of Web errors
from an IP.json.json
---
...Large Number of Web errors from an IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
diff --git a/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
new file mode 100644
index 00000000..87204239
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog\n| where DeviceProduct =~ \"Wazuh\"\n| where Activity has \"Web server 400 error code.\"\n| where Message has \"403\"\n| extend HostName=substring(split(DeviceCustomString1,\")\")[0],1)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\n| where NumberOfErrors > 400\n| sort by NumberOfErrors desc\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Wazuh - Large Number of Web errors from an IP",
+ "enabled": false,
+ "description": "Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst",
+ "alertRuleTemplateName": "2790795b-7dba-483e-853f-44aa0bc9c985"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 22b13aec2ff080add35ff28797014ffc2175cb76 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:53 +0000
Subject: [PATCH 372/375] Exported file: Web sites blocked by Eset.json.json
---
.../Web sites blocked by Eset.json | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
new file mode 100644
index 00000000..7722ffc8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
@@ -0,0 +1,88 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration",
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Web sites blocked by Eset",
+ "enabled": false,
+ "description": "Create alert on web sites blocked by Eset.",
+ "alertRuleTemplateName": "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 06dcb6e259de3e6ef90d97a03e9351b9cf6ea12f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:54 +0000
Subject: [PATCH 373/375] Exported file: Zoom E2E Encryption Disabled.json.json
---
.../Zoom E2E Encryption Disabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
new file mode 100644
index 00000000..e1fea2e8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend NewE2ESetting = columnifexists(\"payload_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| extend OldE2ESetting = columnifexists(\"payload_old_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Zoom E2E Encryption Disabled",
+ "enabled": false,
+ "description": "This alerts when end to end encryption is disabled for Zoom meetings.",
+ "alertRuleTemplateName": "e4779bdc-397a-4b71-be28-59e6a1e1d16b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 51c45ea7ae7ab590f7a7ba75d0a293e022008d7c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:55 +0000
Subject: [PATCH 374/375] Exported file: new file added -- 2_14_2013.json.json
---
.../new file added -- 2_14_2013.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
diff --git a/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
new file mode 100644
index 00000000..07598ea9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583",
+ "T1586",
+ "T1584"
+ ],
+ "displayName": "new file added -- 2/14/2013",
+ "enabled": true,
+ "description": "new file added -- 2/14/2013",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef0970f22441837859e7f2a160cd772e0eb47245 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Mon, 27 Feb 2023 02:19:56 +0000
Subject: [PATCH 375/375] Exported file: new test rule 1.json.json
---
.../new test rule 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new test rule 1.json
diff --git a/SentinelExported-AnalyticsRule/new test rule 1.json b/SentinelExported-AnalyticsRule/new test rule 1.json
new file mode 100644
index 00000000..ed09e71a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new test rule 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": false,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "new test rule 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file