From 0a4e0f6eeca79a8fe95d2b9e687e42d68e8ac4a3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:02 +0000
Subject: [PATCH 001/375] Exported file:
./.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json.json
---
..._c4780b67-8059-45a5-8dc8-0301570477c0.json | 376 ++++++++++++++++++
1 file changed, 376 insertions(+)
create mode 100644 .sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
diff --git a/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
new file mode 100644
index 00000000..e2d864b0
--- /dev/null
+++ b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
@@ -0,0 +1,376 @@
+{
+ "64ce2f23-eab3-4e96-899a-bd2403d21a86": "\"a7004ad4-0000-0800-0000-63d45e2f0000\"",
+ "c48bc19c-dba4-4da3-b215-c9086150d26f": "\"a70052d4-0000-0800-0000-63d45e300000\"",
+ "c2cab3a7-b80c-4b53-8126-9affe3ef96d4": "\"35002d68-0000-0800-0000-63f5638f0000\"",
+ "6a14a7a3-8278-47a8-b17a-2f9f1571362c": "\"3500554e-0000-0800-0000-63f55b050000\"",
+ "835a2032-8b67-4e89-a5c6-2d3c04526a70": "\"35007b4c-0000-0800-0000-63f557450000\"",
+ "bbe16dbb-c5b1-4796-a640-23be2e6e1e6f": "\"35007e4c-0000-0800-0000-63f557590000\"",
+ "29579f11-7599-48db-9ded-b81730a99f26": "\"3500844c-0000-0800-0000-63f5576e0000\"",
+ "9f7a0194-705a-45f9-a54d-a1a1d29354e0": "\"3500a24c-0000-0800-0000-63f557a90000\"",
+ "1dbb9018-2cb3-4818-87e0-8a4a5a1980dc": "\"3500ab4c-0000-0800-0000-63f557c40000\"",
+ "4d197e7a-078d-4401-9359-9c84a2335885": "\"3500b14c-0000-0800-0000-63f557d90000\"",
+ "118cc3d5-6ab5-493a-a0a9-793c9dd09875": "\"250037d3-0000-0800-0000-63ec4af90000\"",
+ "84af311a-0ca0-4e6e-9626-65cbcd255ceb": "\"3500b54c-0000-0800-0000-63f557f20000\"",
+ "fa3714b9-e6fa-4839-92cf-c7a3329e0edb": "\"3500ce4c-0000-0800-0000-63f558410000\"",
+ "2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd": "\"3500d34c-0000-0800-0000-63f558540000\"",
+ "3bef0ebd-28b7-465d-9f37-f2e69d390dbc": "\"3500ed4c-0000-0800-0000-63f558a60000\"",
+ "b129d496-e02c-479f-a5c7-16cc71ef63ad": "\"3500404d-0000-0800-0000-63f558bc0000\"",
+ "62e59eb2-2ac3-4a04-b73e-9aaea7a00c90": "\"35009f4d-0000-0800-0000-63f558d00000\"",
+ "8628a3cf-01b4-40ff-b06c-1ff6d5678535": "\"3500c34d-0000-0800-0000-63f558ea0000\"",
+ "2cca3599-da9a-4231-a9d2-b1f733201dbd": "\"3500c94d-0000-0800-0000-63f559010000\"",
+ "ee43dc07-3a2f-4c4d-b460-557389385470": "\"3500ce4d-0000-0800-0000-63f5591f0000\"",
+ "45f5eb6b-e221-44e3-928c-a372d76d1a6d": "\"3500d74d-0000-0800-0000-63f559350000\"",
+ "7b61a883-0219-4ac3-8058-29afe81b8e7e": "\"3500df4d-0000-0800-0000-63f559540000\"",
+ "5835ecfd-6b56-4f8e-9719-74d85e34c077": "\"3500e24d-0000-0800-0000-63f5596c0000\"",
+ "798fde9b-d47c-4158-99e0-326a7f4e29d6": "\"3500ea4d-0000-0800-0000-63f559830000\"",
+ "a4490aac-93b0-4262-b08d-fb4bc4e74dd6": "\"3500f44d-0000-0800-0000-63f559990000\"",
+ "fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246": "\"3500fa4d-0000-0800-0000-63f559c30000\"",
+ "5892dbb0-9d3b-485a-b4cf-147e30b22cbe": "\"3500fe4d-0000-0800-0000-63f559d40000\"",
+ "75e2a7e7-535e-47ca-9fea-d30a0f0f104d": "\"3500064e-0000-0800-0000-63f559ee0000\"",
+ "288cca7e-3f39-42fc-ada2-eca124936ec2": "\"35000b4e-0000-0800-0000-63f55a000000\"",
+ "769308db-305a-47ed-9837-bfb6bec71ea7": "\"35001f4e-0000-0800-0000-63f55a5c0000\"",
+ "24b268fb-0acf-4315-808e-f1e941506be3": "\"3500264e-0000-0800-0000-63f55a740000\"",
+ "10254512-df08-4fea-8619-c505e87d377b": "\"3500354e-0000-0800-0000-63f55a870000\"",
+ "aa392189-9ff4-40f3-af07-3c2e454d5b22": "\"3500384e-0000-0800-0000-63f55a9b0000\"",
+ "78389019-b3c8-476c-9867-dee37f00f6ea": "\"35003c4e-0000-0800-0000-63f55ab20000\"",
+ "c2397090-face-41f6-ae70-89fc66312292": "\"3500474e-0000-0800-0000-63f55ac90000\"",
+ "edb16bf3-eeca-4545-901f-6b4d79a41be9": "\"35004a4e-0000-0800-0000-63f55add0000\"",
+ "6d3d9221-367e-4954-836b-a53bfb08d042": "\"35004f4e-0000-0800-0000-63f55af20000\"",
+ "09171b34-9e5d-4554-8675-f564c77f739d": "\"3500584e-0000-0800-0000-63f55b170000\"",
+ "0993b38b-fb86-4dc8-8b3d-8531f0b2e12b": "\"3500654e-0000-0800-0000-63f55b300000\"",
+ "15ce6bf5-76f6-4160-a6ab-cae48ccd14c7": "\"3500804e-0000-0800-0000-63f55b440000\"",
+ "defe98a5-5be4-4a6c-9808-eef4c1946f37": "\"3500004f-0000-0800-0000-63f55b600000\"",
+ "ebbc52fe-8427-412b-98a7-6804d5506f7d": "\"35003a4f-0000-0800-0000-63f55b740000\"",
+ "44975607-3f23-4632-871e-b08b59ebd68c": "\"3500834f-0000-0800-0000-63f55b880000\"",
+ "74a06942-f4b8-440a-bcbb-829dc41948ba": "\"3500be4f-0000-0800-0000-63f55b9a0000\"",
+ "4e137990-3aad-4695-8ea5-eac1e16a9451": "\"35001150-0000-0800-0000-63f55bb00000\"",
+ "dea3bd60-9ee8-49fd-a859-3bab903451e5": "\"35005550-0000-0800-0000-63f55bc20000\"",
+ "0bffacb7-52da-463c-8ae4-62c09da8c510": "\"35009c50-0000-0800-0000-63f55bd70000\"",
+ "d6f670a3-6443-47c0-8c9e-387a1d0e58c0": "\"35000f51-0000-0800-0000-63f55bea0000\"",
+ "05c4ea76-9c7f-4865-824b-178cbb899a82": "\"35006a51-0000-0800-0000-63f55c030000\"",
+ "7bf49942-c5ad-448a-bf6b-893f39186ea2": "\"3500ef51-0000-0800-0000-63f55c200000\"",
+ "5410fda8-a757-41b6-97f1-79a08f07dd0f": "\"35004852-0000-0800-0000-63f55c330000\"",
+ "41f05d3b-cc19-40f4-942e-d6748668eb18": "\"35008b52-0000-0800-0000-63f55c460000\"",
+ "4f53eb74-71dc-4775-a62c-ff48580a8bb2": "\"3500cc52-0000-0800-0000-63f55c580000\"",
+ "4413d174-435c-48a7-8a3c-437db7ff3939": "\"35001753-0000-0800-0000-63f55c6d0000\"",
+ "ece1918c-59f2-43ec-841a-7ef0e99c3b7f": "\"35006a53-0000-0800-0000-63f55c800000\"",
+ "29e3406d-b57c-411b-8604-4b77ff01e36f": "\"3500c153-0000-0800-0000-63f55c920000\"",
+ "d06f4dc9-2343-4bd9-85a1-86436bcf45fb": "\"35001554-0000-0800-0000-63f55ca60000\"",
+ "094a8752-7d9e-4873-84ee-ff561e73b3c0": "\"35007854-0000-0800-0000-63f55cbd0000\"",
+ "afa9ee13-2d74-4ca6-bb7e-8193ba946d40": "\"35008954-0000-0800-0000-63f55cd40000\"",
+ "872545df-734f-481c-acd9-4a2d7af889e3": "\"35008f54-0000-0800-0000-63f55ce80000\"",
+ "6be5f005-18ec-4034-8f0d-13b8ce42b11a": "\"3500a054-0000-0800-0000-63f55cfb0000\"",
+ "7d5851b1-5d59-44da-9b51-5a0482707723": "\"3500a454-0000-0800-0000-63f55d0e0000\"",
+ "d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a": "\"3500a754-0000-0800-0000-63f55d2c0000\"",
+ "814a077a-8846-4195-af81-d17d1bbfd54d": "\"3500c354-0000-0800-0000-63f55d4a0000\"",
+ "2888ae98-ce2c-44e9-a841-001e775b0b7a": "\"3500ca54-0000-0800-0000-63f55d610000\"",
+ "a438db5b-f71f-4cb7-98ad-335e3b8ba533": "\"3500ce54-0000-0800-0000-63f55d730000\"",
+ "cda5807c-80cb-4159-adcb-884589deef20": "\"3500d654-0000-0800-0000-63f55d8f0000\"",
+ "4a9a7b49-4e79-4f64-b778-209a63227af1": "\"3500e154-0000-0800-0000-63f55da10000\"",
+ "56bd3d9c-25ae-42f7-80b5-b3be274f9971": "\"35000655-0000-0800-0000-63f55df70000\"",
+ "fc32fc57-e12b-4823-b40a-86ede70b5af7": "\"35001d55-0000-0800-0000-63f55e0d0000\"",
+ "1ffcf2eb-7b20-4385-add1-d47244784479": "\"35009c55-0000-0800-0000-63f55e200000\"",
+ "a095755b-fc1c-4311-a607-118eb9170048": "\"3500b056-0000-0800-0000-63f55e340000\"",
+ "9bcc4a9b-d85e-4927-a32e-b8284cfa5422": "\"3500ba57-0000-0800-0000-63f55e470000\"",
+ "aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4": "\"3500bc58-0000-0800-0000-63f55e5a0000\"",
+ "3df7345e-b037-4478-a753-dd23d194b187": "\"3500165a-0000-0800-0000-63f55e740000\"",
+ "8e494d49-35d6-4cea-b30d-29f22c179aab": "\"35008a5b-0000-0800-0000-63f55e8c0000\"",
+ "f6dda353-e32a-41e2-b892-87012ab48a79": "\"35002d5d-0000-0800-0000-63f55eaa0000\"",
+ "ece332c1-3f76-49d9-92fb-c94bc4af948d": "\"3500755e-0000-0800-0000-63f55ebf0000\"",
+ "b40835ac-6aa1-44c8-94ee-9634550cbf43": "\"35005a60-0000-0800-0000-63f55eda0000\"",
+ "af215a8a-6d4d-4018-9e57-232303ee41d6": "\"3500c561-0000-0800-0000-63f55eed0000\"",
+ "ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e": "\"3500df63-0000-0800-0000-63f55f060000\"",
+ "eef3a7d9-3be0-461b-9136-dfd2485f0fe5": "\"3500b064-0000-0800-0000-63f55f1b0000\"",
+ "4715c9ad-d4c0-4eed-b1a7-fa0a808deff4": "\"3500b664-0000-0800-0000-63f55f360000\"",
+ "6769d928-39db-442b-8af3-4477e02f38fc": "\"3500bb64-0000-0800-0000-63f55f490000\"",
+ "fd78be72-fc73-4cb5-aef3-b9f61b35c1be": "\"3500bf64-0000-0800-0000-63f55f5e0000\"",
+ "08df1b8f-e53a-4f2e-9bd3-b3908f512f46": "\"3500c264-0000-0800-0000-63f55f730000\"",
+ "9aa0f3fe-1c85-48de-b37f-63b61b97b3d6": "\"3500c964-0000-0800-0000-63f55f8a0000\"",
+ "6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974": "\"3500cc64-0000-0800-0000-63f55f9f0000\"",
+ "33e7e266-a87e-454d-8e09-6d3e131d75ee": "\"3500d264-0000-0800-0000-63f55fb80000\"",
+ "881f8a7b-1178-4f35-9b02-7fc5414ba7f8": "\"3500df64-0000-0800-0000-63f55fcd0000\"",
+ "79061028-980a-4760-881b-52e79c1015c6": "\"35007565-0000-0800-0000-63f55fdf0000\"",
+ "b674088a-825a-4b49-ad10-7ffa5d483059": "\"35006b66-0000-0800-0000-63f55ff50000\"",
+ "f740a0e2-386b-4470-8b13-284d2ee5dce5": "\"35000467-0000-0800-0000-63f560170000\"",
+ "fd536808-fae9-4fc6-b046-9cd28b7e9e19": "\"35000867-0000-0800-0000-63f5602a0000\"",
+ "3e4f6960-6e74-4b97-960b-6eca2383de68": "\"35001f67-0000-0800-0000-63f560440000\"",
+ "41da3e01-b685-4352-bded-ae2646b20c5c": "\"35002667-0000-0800-0000-63f560680000\"",
+ "8e545f53-bfa1-47e0-997d-d7f67d02eda4": "\"35002b67-0000-0800-0000-63f5607d0000\"",
+ "bde332b1-a602-44eb-b834-99dc1e0b42d9": "\"35002e67-0000-0800-0000-63f5608e0000\"",
+ "bc94a765-bab8-4692-9cec-86978582f1b8": "\"35003467-0000-0800-0000-63f560a40000\"",
+ "7791c2cc-28ac-4387-87e7-9ddda54c2543": "\"35003767-0000-0800-0000-63f560b70000\"",
+ "99d7dd4b-3f78-4f82-b514-82a22fe2eb3a": "\"35003a67-0000-0800-0000-63f560cd0000\"",
+ "3c22319a-c4d1-411e-8764-72a96333f21e": "\"35004b67-0000-0800-0000-63f561270000\"",
+ "0ae05016-a937-41c9-92ab-9c347b0ea127": "\"35005167-0000-0800-0000-63f561410000\"",
+ "534eed88-50e6-4584-a8f0-c245d16537e9": "\"35005767-0000-0800-0000-63f561530000\"",
+ "f440c27a-949f-44a8-8617-6533617ce4c6": "\"35006367-0000-0800-0000-63f561660000\"",
+ "f41c2cf0-14ea-42fb-a07e-c7514a198d17": "\"35006a67-0000-0800-0000-63f5617c0000\"",
+ "8931ab6f-b308-4242-9876-014014c6b8ff": "\"35007167-0000-0800-0000-63f561950000\"",
+ "a21f9398-0e6d-4d8a-a9cf-4becee5853b0": "\"35007667-0000-0800-0000-63f561ad0000\"",
+ "b0a0ec4e-ca45-42df-aaca-8487d921115d": "\"35007967-0000-0800-0000-63f561c20000\"",
+ "4e451694-0fbc-4df8-83ca-1cbc82d3e019": "\"35007e67-0000-0800-0000-63f561da0000\"",
+ "511e0713-a13f-4f83-8021-b8a22bb9bcc4": "\"35008267-0000-0800-0000-63f561ed0000\"",
+ "176ecb24-2007-4d65-a832-af6efe88afb5": "\"35008667-0000-0800-0000-63f562010000\"",
+ "a37d6c4a-630f-40f1-8ed7-85033c97b226": "\"35008a67-0000-0800-0000-63f562160000\"",
+ "3e0c16d9-b987-4982-8917-261b9b619c83": "\"35008f67-0000-0800-0000-63f562280000\"",
+ "a48aee53-b375-4d5c-b0e2-9d534f99bed8": "\"35009267-0000-0800-0000-63f5623a0000\"",
+ "a52b38c6-0473-4282-b1ac-a34022f46447": "\"35009867-0000-0800-0000-63f562520000\"",
+ "b52679aa-c825-444f-8dc3-2e679658b552": "\"35009b67-0000-0800-0000-63f5626c0000\"",
+ "d12000f0-f1b6-4344-bb3c-a8988e77eb75": "\"35009f67-0000-0800-0000-63f5627f0000\"",
+ "75cbd5b7-4158-4e21-8ce3-8197e05caa7f": "\"3500ab67-0000-0800-0000-63f562940000\"",
+ "675ea0df-9fff-4dc5-b0ee-521faf737c55": "\"3500b367-0000-0800-0000-63f562a80000\"",
+ "215089a8-4173-47cc-801b-56f449b9e978": "\"3500b667-0000-0800-0000-63f562bd0000\"",
+ "efea115d-c997-4be7-adcb-95afd6643a0a": "\"3500bd67-0000-0800-0000-63f562da0000\"",
+ "da88214f-a4b3-48fc-b8c3-fa71bb3ef678": "\"3500c267-0000-0800-0000-63f562f10000\"",
+ "149a0db6-2ad7-4e69-bf36-0c4f62873101": "\"35000568-0000-0800-0000-63f5633f0000\"",
+ "789aca0f-8766-49a2-84b7-1d68e2db7652": "\"35000b68-0000-0800-0000-63f563550000\"",
+ "481c342f-c33a-455b-82d5-2205b068f5d0": "\"35002668-0000-0800-0000-63f563660000\"",
+ "204119a5-daf5-4bfb-a565-a6bbf5dec2ad": "\"35002a68-0000-0800-0000-63f563780000\"",
+ "eb68e7af-1e04-45c3-985f-76e076002f57": "\"35004a68-0000-0800-0000-63f563aa0000\"",
+ "b42fd648-56d8-405b-8303-ecbf32e7f3be": "\"35005468-0000-0800-0000-63f563bd0000\"",
+ "f25caf39-8a25-48d1-b564-3098bfb1a4b3": "\"35006b68-0000-0800-0000-63f563d10000\"",
+ "d7b90ebc-9243-4837-bc04-15808d6fffdf": "\"35007968-0000-0800-0000-63f563e50000\"",
+ "e6926bd2-1c73-494e-b193-b5853be6b838": "\"35007c68-0000-0800-0000-63f563f80000\"",
+ "5178c35e-cf89-4442-b41b-ff963659f9a5": "\"35008168-0000-0800-0000-63f564120000\"",
+ "25bd255a-bf5e-4c83-b39f-fb8570442411": "\"35008468-0000-0800-0000-63f564250000\"",
+ "b7d192e4-4786-463b-acef-ae7ea5569a06": "\"35008968-0000-0800-0000-63f564370000\"",
+ "a6e2aa27-43bc-45b2-b96d-48b735364839": "\"35008d68-0000-0800-0000-63f564550000\"",
+ "eb2153ae-e569-42cf-8467-40f05affa51f": "\"35009868-0000-0800-0000-63f564680000\"",
+ "f801914e-c351-43d7-b2a7-ba58f064fda6": "\"3500a268-0000-0800-0000-63f5647b0000\"",
+ "c655ec79-ccbb-4940-b53f-a1f0a6583a53": "\"3500ac68-0000-0800-0000-63f564920000\"",
+ "ba38e02e-2c7c-4744-9292-8df5f3fc28ac": "\"3500b068-0000-0800-0000-63f564aa0000\"",
+ "a649754e-0850-48be-af9d-9ae66e282259": "\"3500b368-0000-0800-0000-63f564bd0000\"",
+ "048acbb1-a65f-405e-b6bd-da47b59dffa7": "\"3500b768-0000-0800-0000-63f564d10000\"",
+ "432364d6-323c-41fb-a646-12ae79e3d321": "\"3500c268-0000-0800-0000-63f564ea0000\"",
+ "1b1e0484-a8d7-4116-bbc0-294d9d45aa1d": "\"3500c968-0000-0800-0000-63f564fe0000\"",
+ "a203a1c1-5360-4d2b-a61e-7e02066ef891": "\"3500d968-0000-0800-0000-63f565170000\"",
+ "e9f798a0-8821-4cde-9667-21d84cc45915": "\"3500df68-0000-0800-0000-63f5652c0000\"",
+ "58279f6d-5629-40b2-852b-66c575dbb0ca": "\"3500e368-0000-0800-0000-63f565480000\"",
+ "689e109d-46e0-4f54-b0b4-1377167cd660": "\"3500ff68-0000-0800-0000-63f5655e0000\"",
+ "f3f94d19-f440-483e-b11a-231f93731fe8": "\"35000469-0000-0800-0000-63f565730000\"",
+ "f9862418-b01a-40d9-84e1-bece0e2e89bb": "\"35000a69-0000-0800-0000-63f565850000\"",
+ "bf490122-cedd-48e7-ba93-246d9ba9bfae": "\"35000f69-0000-0800-0000-63f5659c0000\"",
+ "9aab9ad2-d911-4d72-95ba-0fa53d80af93": "\"35001569-0000-0800-0000-63f565af0000\"",
+ "338cfd75-5f86-4e98-91a0-87733bd4698e": "\"35001a69-0000-0800-0000-63f565c30000\"",
+ "9970db1b-bed7-4ca6-a5ea-effa3aac7b05": "\"35001f69-0000-0800-0000-63f565da0000\"",
+ "c6b7994e-ae58-499c-bdac-a7035e8858de": "\"35002269-0000-0800-0000-63f565ec0000\"",
+ "59b0b0bc-b313-42b4-a3d9-7c5dc383b448": "\"35002669-0000-0800-0000-63f565ff0000\"",
+ "36af90d3-daf0-4785-a195-afa11219595f": "\"35002c69-0000-0800-0000-63f566130000\"",
+ "c4f34b46-8c20-46f0-b790-23d2bd555b6a": "\"35004769-0000-0800-0000-63f5665f0000\"",
+ "17cf26a4-edee-458d-a467-5933e8c1a1aa": "\"35004f69-0000-0800-0000-63f566830000\"",
+ "6b67df71-a90e-424c-8725-e7f9574d716f": "\"35005369-0000-0800-0000-63f566990000\"",
+ "68b67702-32ef-41ac-a8b2-f793d9689274": "\"35006969-0000-0800-0000-63f566af0000\"",
+ "a814a61a-672f-431f-9b2b-869e9bcaa534": "\"35007569-0000-0800-0000-63f566ca0000\"",
+ "f45e4a0d-2bbf-417c-97b7-643c7d4a0f93": "\"35007969-0000-0800-0000-63f566e30000\"",
+ "837ae291-8946-4918-a036-a22f4da70456": "\"35008169-0000-0800-0000-63f566fd0000\"",
+ "7fa27bab-66bb-4d8c-a80e-843f48e2a3b0": "\"35008469-0000-0800-0000-63f567140000\"",
+ "04adf3cf-371a-475f-9f03-f7991a6f3aa3": "\"3500a169-0000-0800-0000-63f567400000\"",
+ "16b51acb-d11f-4570-ad5b-2a33fb52e25f": "\"3500a969-0000-0800-0000-63f567590000\"",
+ "af5d8d85-ac5f-4ef7-bf10-7b43986ec91d": "\"3500ac69-0000-0800-0000-63f5676e0000\"",
+ "4ef59b89-0b97-4fca-99d0-6b3f861142cf": "\"3500c969-0000-0800-0000-63f567c00000\"",
+ "e001fc5b-00f7-47eb-ad14-4f68ac4b56fa": "\"3500cd69-0000-0800-0000-63f567d30000\"",
+ "8adb0ef2-02b3-4efd-81b3-20f79556d862": "\"3500d469-0000-0800-0000-63f567ed0000\"",
+ "a36172b6-4acf-4915-b0c5-ea8be7d05c86": "\"3500d769-0000-0800-0000-63f568010000\"",
+ "516cc0be-cc97-486b-928e-0e222352ba46": "\"3500dc69-0000-0800-0000-63f568130000\"",
+ "4515ed4c-edac-40b7-9ba0-1e96b7db4572": "\"3500e069-0000-0800-0000-63f568270000\"",
+ "4059cc8c-74ef-43f9-abed-bb067aa015ae": "\"3500e369-0000-0800-0000-63f568390000\"",
+ "8fb31b17-e360-4b59-a281-19c4fe483909": "\"3500e769-0000-0800-0000-63f5684c0000\"",
+ "edec3f95-3e38-4140-a078-96c6bf105d1a": "\"3500ee69-0000-0800-0000-63f568640000\"",
+ "4e52f7d5-cb46-4880-9b3a-279444078bcf": "\"3500016a-0000-0800-0000-63f568780000\"",
+ "dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46": "\"3500076a-0000-0800-0000-63f568940000\"",
+ "74893bd0-8ffa-4e9f-83a5-58ed055824bc": "\"35000d6a-0000-0800-0000-63f568ad0000\"",
+ "2f33cb73-78b6-4886-8434-f319deea8d62": "\"3500146a-0000-0800-0000-63f568be0000\"",
+ "9d356cdc-fd63-4071-bc5b-f06d5effc36f": "\"35001a6a-0000-0800-0000-63f568e30000\"",
+ "e669ef82-838e-40b8-8423-efd8303206c6": "\"3500206a-0000-0800-0000-63f568fe0000\"",
+ "beb39f94-ac53-4ab4-b1c2-7b591497b571": "\"3500246a-0000-0800-0000-63f569120000\"",
+ "20412a8c-a3a7-41a5-8620-6d4c724d3092": "\"35002b6a-0000-0800-0000-63f569290000\"",
+ "595b910c-156b-4a20-996e-06c50a217133": "\"3500486a-0000-0800-0000-63f569430000\"",
+ "22cf036c-2193-4352-9fb5-869ed7dc00a6": "\"35004d6a-0000-0800-0000-63f569580000\"",
+ "a0ee0fdf-b347-449d-8cdb-b750cc062e02": "\"3500516a-0000-0800-0000-63f5696c0000\"",
+ "2c3d7a74-362a-4a6e-836a-279bc1fd8813": "\"3500756a-0000-0800-0000-63f5697e0000\"",
+ "32d3c923-7729-41bc-8b18-790e97726d79": "\"35008d6a-0000-0800-0000-63f569920000\"",
+ "49325680-a0e6-4b0d-b9ea-cc4991de4c73": "\"3500ba6a-0000-0800-0000-63f569aa0000\"",
+ "d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d": "\"3500ce6a-0000-0800-0000-63f569df0000\"",
+ "34be0f95-d845-4501-a64f-3f272d3e7d52": "\"3500d16a-0000-0800-0000-63f569f30000\"",
+ "5fa2554b-b319-4605-ad60-92601ac5d7ba": "\"3500e76a-0000-0800-0000-63f56a0a0000\"",
+ "ab212c5e-07ce-439e-a2d3-cba34ff1cc1d": "\"3500006b-0000-0800-0000-63f56a240000\"",
+ "58d21291-77aa-4e73-9603-1cefbe80b39c": "\"35002e6b-0000-0800-0000-63f56a9d0000\"",
+ "eba9eb63-e5e8-4617-87f7-492aedad803a": "\"3500396b-0000-0800-0000-63f56ab20000\"",
+ "bedfc0cf-b75b-4574-9de6-1b38a51fc987": "\"3500496b-0000-0800-0000-63f56ac90000\"",
+ "ed27aa54-2adc-4774-ae30-6f84a1de0213": "\"3a004472-0000-0800-0000-63f81ea90000\"",
+ "7c192267-ac8a-4182-9336-f5e7647fe9e5": "\"1f00d02a-0000-0800-0000-63e711b10000\"",
+ "63d1052b-e396-4366-a76f-4665b4b8f319": "\"2500f8ce-0000-0800-0000-63ec43700000\"",
+ "927ca451-fe12-4de3-983d-bd50cc359b7f": "\"250013cf-0000-0800-0000-63ec43920000\"",
+ "895522a3-ae18-4771-add7-334f7b4a3124": "\"25007dd2-0000-0800-0000-63ec492b0000\"",
+ "fcd7bae2-0354-454d-9884-18880ff95fe8": "\"2500e9d2-0000-0800-0000-63ec4ad60000\"",
+ "02ca5f41-a642-413b-aec0-51b9e20cce8a": "\"35008869-0000-0800-0000-63f567280000\"",
+ "8ccf4287-558c-445f-9331-ebb58c2be800": "\"35006b6b-0000-0800-0000-63f56ae90000\"",
+ "0a9646c6-c11c-4190-83be-ff0440581ebd": "\"35006f6b-0000-0800-0000-63f56afc0000\"",
+ "324b11f6-6382-45b4-934b-3f60ff4457a3": "\"3500756b-0000-0800-0000-63f56b240000\"",
+ "8e6cbbe1-93ba-45ab-8731-82d2802a60df": "\"3500796b-0000-0800-0000-63f56b360000\"",
+ "c3ec0a36-7cf7-47df-a82c-fc32720db69f": "\"35007d6b-0000-0800-0000-63f56b490000\"",
+ "fe7d80f1-5bd1-409b-89df-c48b2f340b80": "\"35008b6b-0000-0800-0000-63f56b5c0000\"",
+ "0f5a5c06-ca09-4075-890a-e46be2ee412a": "\"35009a6b-0000-0800-0000-63f56b6e0000\"",
+ "64c74af9-0412-4732-89f8-86f46e4897eb": "\"3500b56b-0000-0800-0000-63f56b820000\"",
+ "3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646": "\"3500bb6b-0000-0800-0000-63f56b950000\"",
+ "1ef21999-d53f-4840-bde9-6b90ee767bb7": "\"3500da6b-0000-0800-0000-63f56bb00000\"",
+ "6392295f-31e9-45da-8c14-5554a2b3fb7c": "\"3500f76b-0000-0800-0000-63f56bc10000\"",
+ "1217fe0b-489f-434b-9c6d-877c44610d0b": "\"3500fb6b-0000-0800-0000-63f56bd40000\"",
+ "86475faa-04ff-4383-86b2-ebca93ca8097": "\"3500136c-0000-0800-0000-63f56be60000\"",
+ "52bb7be6-1fb5-424b-bb24-84d427d91626": "\"35002a6c-0000-0800-0000-63f56c030000\"",
+ "4af76a04-0e2a-4892-ae63-3de3b4e9ead2": "\"35002f6c-0000-0800-0000-63f56c210000\"",
+ "a0021314-e49e-45d9-801f-e7bca20e9046": "\"3500336c-0000-0800-0000-63f56c320000\"",
+ "84cfa531-ea08-4c84-a1a1-d85c55c45f06": "\"3500376c-0000-0800-0000-63f56c4a0000\"",
+ "89bbc939-d47e-4b36-82dc-bcec562f0763": "\"3500486c-0000-0800-0000-63f56c5c0000\"",
+ "6f4474f5-8c95-4248-a56d-510a85fb07b3": "\"35006e6c-0000-0800-0000-63f56c780000\"",
+ "91d5304a-0628-4ab8-9c57-670bb4da620b": "\"35007c6c-0000-0800-0000-63f56c8b0000\"",
+ "8cfd3e23-2616-4c6f-b061-a8e47d0536bb": "\"35008d6c-0000-0800-0000-63f56c9f0000\"",
+ "2636af24-3225-405a-aa4b-7b455f326445": "\"35009e6c-0000-0800-0000-63f56cbb0000\"",
+ "9abf000c-f4ad-413f-9cd7-405d95349988": "\"3500a66c-0000-0800-0000-63f56cd50000\"",
+ "6e485f07-3a11-4eb5-ac2a-d1b82aca8c62": "\"3500b56c-0000-0800-0000-63f56ce70000\"",
+ "fd68f806-d8b0-4c8f-aa0f-3b78b59f157f": "\"3500cd6c-0000-0800-0000-63f56cfa0000\"",
+ "704b2418-b2bd-4b4a-8f9e-cf47562e133d": "\"3500d16c-0000-0800-0000-63f56d0c0000\"",
+ "b3345cc6-ee8c-46d4-abc9-8adae4b877d1": "\"3500e26c-0000-0800-0000-63f56d270000\"",
+ "3aa3ab52-566f-46a0-a5c9-caba62eaa518": "\"3500e96c-0000-0800-0000-63f56d3b0000\"",
+ "cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0": "\"3500ed6c-0000-0800-0000-63f56d4d0000\"",
+ "9df8fa13-f28b-41d5-8065-9d7e234aaa26": "\"3500f16c-0000-0800-0000-63f56d660000\"",
+ "c20c6d74-5470-4242-a748-d5625abb65b1": "\"3500f56c-0000-0800-0000-63f56d790000\"",
+ "340041fc-2cb7-423b-9da9-ec04a258f864": "\"3500f86c-0000-0800-0000-63f56d8b0000\"",
+ "d012df68-9c36-431a-acc1-704063e21101": "\"3500fb6c-0000-0800-0000-63f56d9d0000\"",
+ "bb49283b-b564-43d4-868c-2a6186144d8e": "\"3500186d-0000-0800-0000-63f56db20000\"",
+ "fa482a76-22d1-469d-8a47-510e71286ddd": "\"35001d6d-0000-0800-0000-63f56dc30000\"",
+ "bb0035d3-3ac9-40d5-976e-6076f906473c": "\"3500216d-0000-0800-0000-63f56dda0000\"",
+ "61a3f08d-ad2d-49cb-baac-9edc6235e968": "\"3500256d-0000-0800-0000-63f56df20000\"",
+ "f88f852a-b2cb-4e34-b282-36549eb50b2b": "\"35002b6d-0000-0800-0000-63f56e090000\"",
+ "efe3369b-f57f-4fb2-9570-d7a9fe32b526": "\"35002f6d-0000-0800-0000-63f56e1f0000\"",
+ "2950dda7-bc3f-4e83-9528-80df8dbe1368": "\"3500466d-0000-0800-0000-63f56e350000\"",
+ "e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e": "\"3500576d-0000-0800-0000-63f56e4f0000\"",
+ "fe861c55-a355-4af2-8e9e-2e2d8f7a68d9": "\"35005c6d-0000-0800-0000-63f56e620000\"",
+ "b63935f5-aae3-45b5-bd0d-f2da794fd126": "\"35005f6d-0000-0800-0000-63f56e750000\"",
+ "57b338f9-1c0e-42ee-9b56-1af8886e2047": "\"3500626d-0000-0800-0000-63f56e860000\"",
+ "ce11fda8-f604-4547-af58-fa313e8a8146": "\"3500676d-0000-0800-0000-63f56e990000\"",
+ "3d7a19b1-33bc-429e-b5d3-b6d0ab02216c": "\"35006d6d-0000-0800-0000-63f56eb30000\"",
+ "b131e363-3009-4942-a35c-14d5c7284ead": "\"3500706d-0000-0800-0000-63f56ec70000\"",
+ "916dae72-d95a-41c4-9370-30ff57177fbf": "\"3500736d-0000-0800-0000-63f56eda0000\"",
+ "066d6852-04de-4dab-9b95-bd3d2835a859": "\"3500776d-0000-0800-0000-63f56eed0000\"",
+ "b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b": "\"35007c6d-0000-0800-0000-63f56f050000\"",
+ "fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2": "\"3500816d-0000-0800-0000-63f56f180000\"",
+ "c34a8927-e01b-4de6-ae5f-52fb6ac204f9": "\"3500866d-0000-0800-0000-63f56f2b0000\"",
+ "00f4fd35-801a-4996-a1c5-bde58605be5c": "\"35008b6d-0000-0800-0000-63f56f3d0000\"",
+ "e901d93b-d192-4fac-8c53-9e023b8ef3c0": "\"35008e6d-0000-0800-0000-63f56f500000\"",
+ "74131d4a-83fd-4606-a5f4-71dc1d169a3d": "\"3500926d-0000-0800-0000-63f56f630000\"",
+ "91011f1e-3186-450d-9cd7-83e9c840508a": "\"3500996d-0000-0800-0000-63f56f760000\"",
+ "4b4b2f57-ace1-4d2d-9793-942442bc9668": "\"3500a06d-0000-0800-0000-63f56f8d0000\"",
+ "d4f0a426-2354-416f-9999-b8d28d3e93ed": "\"3500a36d-0000-0800-0000-63f56fa00000\"",
+ "370b2ef6-5d11-4827-a36a-eadd0cd821fe": "\"3500a66d-0000-0800-0000-63f56fb20000\"",
+ "9798584d-ebeb-4a0d-89f1-df23ee5a9edf": "\"3500aa6d-0000-0800-0000-63f56fc70000\"",
+ "51c23e70-6d7e-47c5-87b0-e798a636931d": "\"3500ad6d-0000-0800-0000-63f56fd80000\"",
+ "7e19583d-27e1-41c2-90a9-3f813155c6ce": "\"3500b26d-0000-0800-0000-63f56fea0000\"",
+ "a9e6f155-4049-4401-89e3-a9f769675eb6": "\"3500b66d-0000-0800-0000-63f56ffe0000\"",
+ "4f1de90b-7ff1-441a-af02-0a2a86ca9848": "\"3500ba6d-0000-0800-0000-63f570130000\"",
+ "9199567e-9c5d-4078-8f0f-40e9d4d5836c": "\"3500c56d-0000-0800-0000-63f570280000\"",
+ "66ee9d45-4e7e-4b0d-a361-377cd3662750": "\"3500d26d-0000-0800-0000-63f5703f0000\"",
+ "94d72012-0846-4f42-9d26-51f9cdb2fa6e": "\"3500d86d-0000-0800-0000-63f570530000\"",
+ "697575c4-83f0-4d98-9594-b6f254db566a": "\"3500db6d-0000-0800-0000-63f570680000\"",
+ "454abbc9-3d65-4dfb-9446-0af12f681192": "\"3500e06d-0000-0800-0000-63f570850000\"",
+ "7d070056-c31e-46a3-8ab6-299510132e4f": "\"3500e66d-0000-0800-0000-63f5709a0000\"",
+ "80e77d48-d0f1-4d7d-bb68-2ad8123ba8db": "\"3500ef6d-0000-0800-0000-63f570ae0000\"",
+ "bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b": "\"3500f46d-0000-0800-0000-63f570c40000\"",
+ "3c746716-20a6-46bd-98fd-d5c9d0aa1553": "\"3500f76d-0000-0800-0000-63f570d70000\"",
+ "8ed981a2-337b-4542-a371-3968ac93f923": "\"3500fd6d-0000-0800-0000-63f570ef0000\"",
+ "55f68d39-f930-44bd-acb6-4eddd9007237": "\"3500546e-0000-0800-0000-63f571060000\"",
+ "b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3": "\"35009f6e-0000-0800-0000-63f5711c0000\"",
+ "35efaa1c-ca0f-4fc8-b30b-993f1502dadc": "\"3500be6e-0000-0800-0000-63f571300000\"",
+ "4416b145-266e-461b-b5bf-c346069f404e": "\"3500ee6e-0000-0800-0000-63f571490000\"",
+ "47a5442c-c3e1-4a44-829b-a0fce5ffdb54": "\"3500196f-0000-0800-0000-63f571650000\"",
+ "7aa0650e-f8b6-4737-9894-85f684aa5d18": "\"3500506f-0000-0800-0000-63f571840000\"",
+ "5fcaa294-5c2f-495c-acf4-f6a93b6589f9": "\"35006b6f-0000-0800-0000-63f571960000\"",
+ "3838a2fe-0433-432b-8f34-fd48f0930148": "\"3500886f-0000-0800-0000-63f571ae0000\"",
+ "fddce345-91bc-4cba-82f9-af733f7cdc69": "\"3500a46f-0000-0800-0000-63f571c10000\"",
+ "b26de50a-8f22-4454-ae13-6442ac7decad": "\"3500d86f-0000-0800-0000-63f571d40000\"",
+ "b59ad89c-249e-462f-ac68-c23a93202fa3": "\"3500fb6f-0000-0800-0000-63f571e60000\"",
+ "6fbd8942-976f-4b19-94c6-785e9f05136e": "\"35002c70-0000-0800-0000-63f572350000\"",
+ "3f40377b-15d8-490f-a8d7-82c385f81829": "\"35003070-0000-0800-0000-63f5724a0000\"",
+ "e557ae74-ef8a-4bab-b807-959486942ceb": "\"35003570-0000-0800-0000-63f572630000\"",
+ "9578ea47-ee34-4289-9aa2-05630ecf2f1b": "\"35003a70-0000-0800-0000-63f572760000\"",
+ "e52bd802-3e96-4391-8b7f-c57e58539370": "\"35004e70-0000-0800-0000-63f5729e0000\"",
+ "aaa53051-1af4-42d9-a523-c08752580ade": "\"35005c70-0000-0800-0000-63f572b60000\"",
+ "cda14730-b43b-4099-a785-6145306928b9": "\"35006070-0000-0800-0000-63f572cb0000\"",
+ "af136dbc-b98a-4c3b-9842-e076768ae2a1": "\"35006470-0000-0800-0000-63f572e20000\"",
+ "1c6090a0-fa8a-4ebe-b8b2-5576114a384f": "\"35006c70-0000-0800-0000-63f572f40000\"",
+ "1e944163-f959-46f8-9760-95a54652437b": "\"35007d70-0000-0800-0000-63f5730b0000\"",
+ "fd618de1-e892-433a-9bc3-4d5d94edf017": "\"35008070-0000-0800-0000-63f5731e0000\"",
+ "8ef3b755-c57d-4103-8ad3-7536adbdd953": "\"35008770-0000-0800-0000-63f573360000\"",
+ "61cf974b-9170-4e7e-9c13-f801cce8b2c2": "\"35009370-0000-0800-0000-63f573850000\"",
+ "85e14dab-bc47-4f28-810f-47db9aa5896f": "\"35009970-0000-0800-0000-63f5739c0000\"",
+ "b4b19b2b-c30f-4f25-b5d5-762e7ceeef99": "\"35009d70-0000-0800-0000-63f573b40000\"",
+ "8d2677a1-dcf3-42b1-848b-a0a7055016d8": "\"3500a270-0000-0800-0000-63f573cb0000\"",
+ "6ee20e13-a511-42e0-beb8-020666b7071c": "\"3500a870-0000-0800-0000-63f573e20000\"",
+ "1d14a23e-7c19-4d9b-8775-eb282774958d": "\"3500ab70-0000-0800-0000-63f573f50000\"",
+ "6cef2de7-424f-4297-b732-b8985477fb7e": "\"3500af70-0000-0800-0000-63f5740b0000\"",
+ "c5141be2-18ae-4afc-a9f5-b07e5746cee1": "\"3500b770-0000-0800-0000-63f574220000\"",
+ "c110f9e8-7ac6-496f-8df7-da0c413e767e": "\"3500db70-0000-0800-0000-63f5743d0000\"",
+ "c5b4fb13-738e-4591-a704-741486688b20": "\"3500ec70-0000-0800-0000-63f574540000\"",
+ "a0ae8d0a-38d8-441f-b491-134cf3151846": "\"3500f370-0000-0800-0000-63f5746c0000\"",
+ "460cbcbe-314d-4841-8398-6926043768b8": "\"3500f670-0000-0800-0000-63f5747e0000\"",
+ "9aa5f4c8-b3ad-458f-92e4-d4cf21948c59": "\"35000471-0000-0800-0000-63f574d50000\"",
+ "f34bfe11-29ce-41f8-9a1e-167cd3302d0e": "\"35000771-0000-0800-0000-63f574ec0000\"",
+ "3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f": "\"35000d71-0000-0800-0000-63f574fe0000\"",
+ "a4d01245-f322-4861-9ffe-1c410aa9dfaa": "\"35001071-0000-0800-0000-63f575110000\"",
+ "1b94b9a2-ddd7-4d88-949e-ac13cf28b454": "\"35001571-0000-0800-0000-63f5752c0000\"",
+ "6e9a6f1b-a40e-4ffa-974d-3ab5d675c531": "\"35001871-0000-0800-0000-63f5753e0000\"",
+ "ff44fc3f-4e22-4c9c-94d9-645c7644d2ca": "\"35002071-0000-0800-0000-63f575510000\"",
+ "de4a8f18-acf0-4738-a6b2-2302216fdf48": "\"35002571-0000-0800-0000-63f575620000\"",
+ "c84de391-2133-43e6-af89-27b021feaf75": "\"35003171-0000-0800-0000-63f5757b0000\"",
+ "bbcf3e06-84cb-4bb0-813b-f4f9ce090bab": "\"35003671-0000-0800-0000-63f575920000\"",
+ "941e3a2b-8eed-4cb4-afba-1322838fcbb2": "\"35003a71-0000-0800-0000-63f575a90000\"",
+ "e0adc565-7cd3-47f0-9027-c700df43303a": "\"35003d71-0000-0800-0000-63f575be0000\"",
+ "14c4920e-9a71-4680-aa78-da32072e8dc2": "\"35004871-0000-0800-0000-63f575d60000\"",
+ "22a677eb-9971-4b78-8082-0061d9a975fd": "\"35004c71-0000-0800-0000-63f575e90000\"",
+ "fe80d1cc-65a1-400c-a5d5-5a5decf74f31": "\"35005271-0000-0800-0000-63f576020000\"",
+ "a13c922b-fe7c-476e-a586-edaab2219e57": "\"35005e71-0000-0800-0000-63f576540000\"",
+ "ceb7fe01-21a7-4ffb-b8f0-ac29b991da50": "\"35006371-0000-0800-0000-63f576660000\"",
+ "dfbb9a20-254e-4c70-a302-0ba22da59117": "\"35006971-0000-0800-0000-63f576790000\"",
+ "6dff9c6d-c191-4e5b-a308-a0906a23752d": "\"35007471-0000-0800-0000-63f576900000\"",
+ "b7e581ff-451f-4e85-97fd-f22c8be96580": "\"35007c71-0000-0800-0000-63f576a30000\"",
+ "7ee415a8-0c09-46a1-b75d-9223de562a12": "\"35008171-0000-0800-0000-63f576b40000\"",
+ "049d9663-9edb-4269-8bfa-340896d5cfe4": "\"35008771-0000-0800-0000-63f576c70000\"",
+ "26ed4120-b9df-487e-bf25-3f179ebf75f4": "\"35008a71-0000-0800-0000-63f576df0000\"",
+ "9d781e96-280e-4760-8a74-e28bcd7ef128": "\"35008e71-0000-0800-0000-63f576f20000\"",
+ "3421562d-ac3e-42dc-9d90-e751868bb424": "\"35009471-0000-0800-0000-63f577050000\"",
+ "22b9eab7-3edd-483a-8aca-5568e23dad78": "\"35009871-0000-0800-0000-63f5771d0000\"",
+ "2397d157-f3c4-485d-acd3-008ab8612c60": "\"35009e71-0000-0800-0000-63f5773e0000\"",
+ "67e76653-affb-4264-9b2a-0dd5f5fc2835": "\"3500a271-0000-0800-0000-63f577560000\"",
+ "303d53fd-b132-45bc-9dc9-8852122a64b9": "\"3500a571-0000-0800-0000-63f577690000\"",
+ "4f5a652f-bec8-4112-8f7b-531ff30dfd75": "\"3500aa71-0000-0800-0000-63f5777b0000\"",
+ "1f0221ac-cee3-4eae-801f-c725df4b9f27": "\"3500b471-0000-0800-0000-63f5778f0000\"",
+ "150bcc1a-7788-4624-a9d9-1b05b0fc7051": "\"3500eb71-0000-0800-0000-63f577a30000\"",
+ "929e1a28-c623-44b1-a8ef-7a1739b9bba1": "\"3500f171-0000-0800-0000-63f577b70000\"",
+ "3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75": "\"35000472-0000-0800-0000-63f577cc0000\"",
+ "be59c13c-c811-4444-9a72-b69c713672b1": "\"35000c72-0000-0800-0000-63f577fc0000\"",
+ "e857375b-b96a-4757-a5a6-c0ed478ee5de": "\"35001072-0000-0800-0000-63f578110000\"",
+ "80491722-4553-4683-a9a0-8f14ea6dfe08": "\"35001472-0000-0800-0000-63f578230000\"",
+ "6e16dc82-ea01-41d5-aa55-6390a418421d": "\"35001772-0000-0800-0000-63f578370000\"",
+ "e3d218b4-cb49-40bb-ac39-4892088ba6c1": "\"35001c72-0000-0800-0000-63f5784a0000\"",
+ "349c1b39-5c33-4d6f-b5a5-580083a77cd3": "\"35003772-0000-0800-0000-63f5785e0000\"",
+ "7fd08f98-0dbf-4604-853a-76a610cc9c0d": "\"35003b72-0000-0800-0000-63f578710000\"",
+ "9d680f1a-5c96-48c6-8662-3604bfe61eb2": "\"35004172-0000-0800-0000-63f5788b0000\"",
+ "c895ed04-d628-4d7d-ad3d-63afd80aa2a9": "\"35004672-0000-0800-0000-63f5789e0000\"",
+ "3c5c78d4-a787-4c7c-9da1-a1244a9878b4": "\"35004a72-0000-0800-0000-63f578b10000\"",
+ "742ae0bd-633c-4f38-804b-3ed926117077": "\"35008872-0000-0800-0000-63f578c80000\"",
+ "57d051c8-0108-455a-9a94-bfa7c7c8e565": "\"3500aa72-0000-0800-0000-63f578df0000\"",
+ "ad713bda-ef00-4837-b0ee-4c955214d0a6": "\"3500b472-0000-0800-0000-63f578f20000\"",
+ "495ef656-bd0f-4a92-a97c-17eab3d1b0b1": "\"3500ca72-0000-0800-0000-63f579030000\"",
+ "604dfab2-c845-4910-876f-76dce9eb58cb": "\"3500d872-0000-0800-0000-63f579550000\"",
+ "3700252b-2d09-4ca1-ba8d-5b070add4fbc": "\"3500de72-0000-0800-0000-63f579670000\"",
+ "bc28747a-f907-4cf8-b2e2-099b4663b67e": "\"3500e472-0000-0800-0000-63f5797b0000\"",
+ "a414027e-9d31-4716-84b5-41bc3cefbde1": "\"3500fe72-0000-0800-0000-63f5798f0000\"",
+ "2985b2db-a13a-4ec0-9606-dc6c837a6dd8": "\"35001173-0000-0800-0000-63f579a10000\"",
+ "2fd7979f-6d09-463b-828c-be33fc9ccfbb": "\"35001773-0000-0800-0000-63f579bf0000\"",
+ "ee08a1b6-de2e-4397-bb4a-9d434ad24ee3": "\"35001f73-0000-0800-0000-63f579d20000\"",
+ "dece78df-9bea-4625-9457-d4a37e01a4a8": "\"35002473-0000-0800-0000-63f579e60000\"",
+ "8a5e860b-05d8-47b1-bb76-f690d926ab12": "\"35002a73-0000-0800-0000-63f579f90000\"",
+ "6587f4a3-260a-470f-a372-fd7d879e9772": "\"35003273-0000-0800-0000-63f57a0b0000\"",
+ "63037f09-9e99-49da-909e-f384f84b9738": "\"35003c73-0000-0800-0000-63f57a230000\"",
+ "5a658bc2-1c28-40d4-be6d-fb228e071c1b": "\"3a006471-0000-0800-0000-63f81e920000\""
+}
\ No newline at end of file
From 260b788e3a48c0f08bf3bdb5a61b14c828d62aa6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:03 +0000
Subject: [PATCH 002/375] Exported file: (Preview) Microsoft Threat
Intelligence Analytics.json.json
---
...crosoft Threat Intelligence Analytics.json | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
diff --git a/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
new file mode 100644
index 00000000..37b219cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
@@ -0,0 +1,30 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "ThreatIntelligence",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "alertRuleTemplateName": "0dd422ee-e6af-4204-b219-f59ac172e4c6",
+ "severity": "Medium",
+ "tactics": [
+ "Persistence",
+ "LateralMovement"
+ ],
+ "techniques": [],
+ "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
+ "enabled": true,
+ "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts."
+ }
+ }
+ ]
+}
\ No newline at end of file
From c234947437f763cc3f65d975d0054102479a78ad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:04 +0000
Subject: [PATCH 003/375] Exported file: (Preview) TI map Domain entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..aa9fd169
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\nDomainTIs\n | join (\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map Domain entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any Domain IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ed2efb761e4532b297afbbf5df59ec332433f9f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:05 +0000
Subject: [PATCH 004/375] Exported file: (Preview) TI map IP entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..34e28555
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = (ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"\")\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\n | extend tilist = toscalar(TI_IP_List)\n | mv-expand tilist\n | extend SingleIP=tostring(tilist)\n | project-away tilist\n | where has_ipv4(DnsResponseName, SingleIP)\n | extend DNS_TimeGenerated = TimeGenerated\n| join IP_TI\n on $left.SingleIP == $right.TI_ipEntity\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map IP entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any IP IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "67775878-7f8b-4380-ac54-115e1e828901"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a3d0b2ae6968b25d455959cf820ef8d303b97f58 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:06 +0000
Subject: [PATCH 005/375] Exported file: (Private Preview) Insider Risk
Management_ Sensitive Data Access Outside Organizational
Geolocations.json.json
---
...s Outside Organizational Geolocations.json | 64 +++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
diff --git a/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
new file mode 100644
index 00000000..45aed148
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
@@ -0,0 +1,64 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT7H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "// Rule Name - (Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations\r\n// Rule Description - Sensitive Data Access Outside Organziational Geolocations\r\n// Prerequisite 1: Onboard Azure Infomation Protection (https://docs.microsoft.com/en-us/azure/information-protection/requirements)\r\n// Prerequisite 2: Install AIP Unified Labeling Scanner (https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner)\r\n// Prerequisite 3: Enable Azure Information Protection Connector (https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-information-protection)\r\n// Prerequisite 4: Enable Azure Active Directory Connector (hhttps://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)\r\nInformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n// | where City <> \"New York\" // Configure Location Details within Organizational Requirements\r\n| extend State = tostring(LocationDetails.state)\r\n// | where State <> \"Texas\" // Configure Location Details within Organizational Requirements\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n// | where Country_Region <> \"US\" // Configure Location Details within Organizational Requirements\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "customDetails": {
+ "Activity": "Activity_s",
+ "Where": "City"
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "AadUserId",
+ "columnName": "UserPrincipalName"
+ }
+ ]
+ }
+ ],
+ "tactics": [],
+ "techniques": null,
+ "displayName": "(Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations",
+ "enabled": false,
+ "description": "Sensitive Data Access Outside Organziational Geolocations",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3261bbc949ce02b58983c33c1f12e84acdfdb7e1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:06 +0000
Subject: [PATCH 006/375] Exported file: A client made a web request to a
potentially harmful file (ASIM Web Session schema).json.json
---
...armful file (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
new file mode 100644
index 00000000..edcb1bd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\nimWebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced SIEM information Model (ASIM).\nTo use this analytics rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM)",
+ "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2f4cec2856ca4fd45ec09d99d0dc7736d7bccf77 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:07 +0000
Subject: [PATCH 007/375] Exported file: A host is potentially running
PowerShell to send HTTP(S) requests (ASIM Web Session schema).json.json
---
...S) requests (ASIM Web Session schema).json | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
new file mode 100644
index 00000000..ee78f037
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
@@ -0,0 +1,52 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c50a2c11acfc10c4482c2eddc1111da2ea3af3f2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:08 +0000
Subject: [PATCH 008/375] Exported file: A host is potentially running a crypto
miner (ASIM Web Session schema).json.json
---
...rypto miner (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
new file mode 100644
index 00000000..deeead3f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Cryptominer\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a crypto miner (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the Advanced SIEM Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "8cbc3215-fa58-4bd6-aaaa-f0029c351730"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f3af0c0a3fe05a7efe2405e6952215af3cf44af Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:09 +0000
Subject: [PATCH 009/375] Exported file: A host is potentially running a
hacking tool (ASIM Web Session schema).json.json
---
...acking tool (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
new file mode 100644
index 00000000..36756c66
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Hacking Tool\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a hacking tool (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "3f0c20d5-6228-48ef-92f3-9ff7822c1954"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c55344b54bf347736188661178ffd6f2ce008ec1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:10 +0000
Subject: [PATCH 010/375] Exported file: A potentially malicious web request
was executed against a web server.json.json
---
...est was executed against a web server.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
diff --git a/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
new file mode 100644
index 00000000..4ba5f88b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mode = 'Blocked'; \nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet minTime = ago(1d);\nlet maxSessionWindow = 1h;\nlet sessionBin = maxSessionWindow/2.0;\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayFirewallLog'\n| where action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\n| extend duration = maxTime - minTime\n| extend TimeKey = bin(SessionStarted, sessionBin)\n| join kind = inner(\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayAccessLog'\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\")\n| extend serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| where SessionBlockedCount > SuccessfulAccessLogCount \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A potentially malicious web request was executed against a web server",
+ "enabled": false,
+ "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+ "alertRuleTemplateName": "46ac55ae-47b8-414a-8f94-89ccd1962178"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70017dd726e6131eb30ff93830ab3eeca32eefba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:11 +0000
Subject: [PATCH 011/375] Exported file: AD FS Remote Auth Sync
Connection.json.json
---
.../AD FS Remote Auth Sync Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
new file mode 100644
index 00000000..d8e5a274
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\n//let adfsuser = 'adfsadmin';\n// Identify ADFS Servers\nlet ADFS_Servers = (\n SecurityEvent\n //| where TimeGenerated > ago(timeframe+lookback)\n | where EventSourceName == 'AD FS Auditing'\n | distinct Computer\n);\nSecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\n // for relying party '-' was successfully authenticated.\n | where EventID == 412\n | extend EventData = parse_xml(EventData).EventData.Data\n | extend InstanceId = tostring(EventData[0])\n| join kind=inner\n(\n SecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // Events to identify caller identity from event 412\n | where EventID == 501\n | extend EventData = parse_xml(EventData).EventData.Data\n | where tostring(EventData[1]) contains 'identity/claims/name'\n | extend InstanceId = tostring(EventData[0])\n | extend ClaimsName = tostring(EventData[2])\n // Filter on the use of a specific AD FS user account\n //| where ClaimsName contains adfsuser\n)\non $left.InstanceId == $right.InstanceId\n| join kind=inner\n(\n SecurityEvent\n | where EventID == 5156\n | where Computer in~ (ADFS_Servers)\n | extend EventData = parse_xml(EventData).EventData.Data\n | mv-expand bagexpansion=array EventData\n | evaluate bag_unpack(EventData)\n | extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n | extend DestPort = column_ifexists(\"DestPort\", \"\"),\n Direction = column_ifexists(\"Direction\", \"\"),\n Application = column_ifexists(\"Application\", \"\"),\n DestAddress = column_ifexists(\"DestAddress\", \"\"),\n SourceAddress = column_ifexists(\"SourceAddress\", \"\"),\n SourcePort = column_ifexists(\"SourcePort\", \"\")\n // Look for inbound connections from endpoints on port 80\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') \n)\non $left.Computer == $right.Computer\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote Auth Sync Connection",
+ "enabled": false,
+ "description": "This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious authentication events on an AD FS server. The results then get\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\nsensitive information such as AD FS certificates.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2b199ba0c41026a991bd39cc26f4487f4ccb6526 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:12 +0000
Subject: [PATCH 012/375] Exported file: AD FS Remote HTTP Network
Connection.json.json
---
.../AD FS Remote HTTP Network Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
new file mode 100644
index 00000000..bd68ae23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// Filter out other servers in the AD FS farm\nlet ADFSServersList = dynamic([\"ADFS02.domain.com\",\"ADFS03.domain.com\"]);\n// Start by identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer !in (ADFSServersList)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer\n);\n// Look for ADFS servers receiving connections over port 80\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"), TechniqueId = column_ifexists(\"TechniqueId\", \"\"), TechniqueName = column_ifexists(\"TechniqueName\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n| where EventID == 3\n// Look for endpoints connecting to the AD FS server over port 80\n| extend DestinationPort = column_ifexists(\"DestinationPort\", \"\"), Image = column_ifexists(\"Image\", \"\"), Initiated = column_ifexists(\"Initiated\", \"\"), SourceIp = column_ifexists(\"DestinationIp\", \"\"), DestinationIp = column_ifexists(\"DestinationIp\", \"\")\n| where DestinationPort == 80\n| extend process = split(Image, '\\\\', -1)[-1]\n// Look for the System process receiving connections\n| where process == 'System' and Initiated == 'false'\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote HTTP Network Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "d57c33a9-76b9-40e0-9dfa-ff0404546410"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c1d1bfa694f3fa5533ec575e52c1f764dd51f542 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:12 +0000
Subject: [PATCH 013/375] Exported file: AD account with Don't Expire
Password.json.json
---
...AD account with Don't Expire Password.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
diff --git a/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
new file mode 100644
index 00000000..f732ef14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nSecurityEvent\n| where EventID == 4738\n// 2089 value indicates the Don't Expire Password value has been set\n| where UserAccountControl has \"%%2089\" \n| extend Value_2089 = iff(UserAccountControl has \"%%2089\",\"'Don't Expire Password' - Enabled\", \"Not Changed\")\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \n| extend Value_2050 = iff(UserAccountControl has \"%%2050\",\"'Password Not Required' - Disabled\", \"Not Changed\")\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \n| extend Value_2082 = iff(UserAccountControl has \"%%2082\",\"'Password Not Required' - Enabled\", \"Not Changed\")\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD account with Don't Expire Password",
+ "enabled": false,
+ "description": "Identifies whenever a user account has the setting \"Password Never Expires\" in the user account properties selected.\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\n%%2089 resolves to \"Don't Expire Password - Enabled\".",
+ "alertRuleTemplateName": "6c360107-f3ee-4b91-9f43-f4cfd90441cf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c763a917dfaf1c92d93842b8a4c1cc8fb25d3b6e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:13 +0000
Subject: [PATCH 014/375] Exported file: AD user enabled and password not set
within 48 hours.json.json
---
... and password not set within 48 hours.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
diff --git a/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
new file mode 100644
index 00000000..f860a774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\n| order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD user enabled and password not set within 48 hours",
+ "enabled": false,
+ "description": "Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company policy.",
+ "alertRuleTemplateName": "62085097-d113-459f-9ea7-30216f2ee6af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a45d22874b0446503ba63c2d8c05e8236f5e82c5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:14 +0000
Subject: [PATCH 015/375] Exported file: ADFS DKM Master Key Export.json.json
---
.../ADFS DKM Master Key Export.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
diff --git a/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
new file mode 100644
index 00000000..291cf211
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "(union isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '
Date: Thu, 2 Mar 2023 02:15:15 +0000
Subject: [PATCH 016/375] Exported file: ADFS Database Named Pipe
Connection.json.json
---
.../ADFS Database Named Pipe Connection.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
diff --git a/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
new file mode 100644
index 00000000..aff745de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 6d;\n// Adjust this to adjust the key export detection timeframe\n//let timeframe = 1d;\n// Start be identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer);\n// Look for ADFS servers where Named Pipes event are present\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"),\n TechniqueId = column_ifexists(\"TechniqueId\", \"\"),\n TechniqueName = column_ifexists(\"TechniqueName\", \"\"),\n Image = column_ifexists(\"Image\", \"\"),\n PipeName = column_ifexists(\"PipeName\", \"\"),\n EventType = column_ifexists(\"EventType\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n// Look for Pipe related to querying the WID\n| where PipeName == \"\\\\MICROSOFT##WID\\\\tsql\\\\query\"\n| extend process = split(Image, '\\\\', -1)[-1]\n// Exclude expected processes\n| where process !in (\"Microsoft.IdentityServer.ServiceHost.exe\", \"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\", \"AzureADConnect.exe\", \"Microsoft.Tri.Sensor.exe\", \"wsmprovhost.exe\",\"mmc.exe\", \"sqlservr.exe\")\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "ADFS Database Named Pipe Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\nFailed to resolve scalar expression named \"[@Name]\"",
+ "alertRuleTemplateName": "dcdf9bfc-c239-4764-a9f9-3612e6dff49c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c4fa0f43dde874669b597bceb06c7aad2aeeaddc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:16 +0000
Subject: [PATCH 017/375] Exported file: AWS Guard Duty Alert.json.json
---
.../AWS Guard Duty Alert.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
diff --git a/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
new file mode 100644
index 00000000..60586c45
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "AWS Guard Duty Alert",
+ "enabled": false,
+ "description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
+ "alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 02c06f9d3d23c5b87609ec09eb1ed2311e66dfc1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:17 +0000
Subject: [PATCH 018/375] Exported file: Account Created and Deleted in Short
Timeframe.json.json
---
...reated and Deleted in Short Timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
diff --git a/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
new file mode 100644
index 00000000..a3a2cb27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName =~ \"Add user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| join kind=inner (AuditLogs\n| where OperationName =~ \"Delete user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\n| extend timedelta = TimeGenerated1 - TimeGenerated\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\n| where timedelta < timespan(24h) and timedelta > timespan(0h)\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account Created and Deleted in Short Timeframe",
+ "enabled": false,
+ "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
+ "alertRuleTemplateName": "bb616d82-108f-47d3-9dec-9652ea0d3bf6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9ec793b4e2bce80fd7efe217e0ad6bae1b4f2408 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:17 +0000
Subject: [PATCH 019/375] Exported file: Account added and removed from
privileged groups.json.json
---
...ed and removed from privileged groups.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
diff --git a/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
new file mode 100644
index 00000000..51ad12f9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet AC_Add = \nSecurityEvent\n// Event ID related to member addition.\n| where EventID in (4728, 4732,4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountAdded \",OU\" *\n| where isnotempty(AccountAdded)\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \"||\", GroupAddedTo, \"||\", AddingAccount )\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\nlet AC_Remove = \nSecurityEvent\n// Event IDs related to member removal.\n| where EventID in (4729,4733,4757)\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountRemoved \",OU\" * \n| where isnotempty(AccountRemoved)\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \"||\", GroupRemovedFrom, \"||\", RemovingAccount)\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \nAC_Add \n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\n| where DurationinSecondAfter_Removed > 0\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Account added and removed from privileged groups",
+ "enabled": false,
+ "description": "Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.",
+ "alertRuleTemplateName": "7efc75ce-e2a4-400f-a8b1-283d3b0f2c60"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7fd947a8b1eabe8600607df32a95ca94d0bd7ad7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:18 +0000
Subject: [PATCH 020/375] Exported file: Account created or deleted by
non-approved user.json.json
---
...eated or deleted by non-approved user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
diff --git a/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
new file mode 100644
index 00000000..71abee6a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName == \"Add user\" or OperationName == \"Delete user\"\n| where Result == \"success\"\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account created or deleted by non-approved user",
+ "enabled": false,
+ "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
+ "alertRuleTemplateName": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7f94b0569ad4ccbf9ce00a3ee70d6936cbf92d8d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:19 +0000
Subject: [PATCH 021/375] Exported file: Admin promotion after Role Management
Application Permission Grant.json.json
---
...nagement Application Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
new file mode 100644
index 00000000..fac376d0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"AppRole.Value\"\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where AppRole has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\n| join kind=innerunique (\n AuditLogs\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-expand TargetResources\n | mv-expand TargetResources.modifiedProperties\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n | where displayName_ =~ \"Role.DisplayName\"\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n | where RoleName contains \"Admin\"\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\n | extend TargetType = tostring(TargetResources.type)\n | extend TargetId = tostring(TargetResources.id)\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\n) on $left.TargetId == $right.InitiatorId\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\n| where TimeRoleMgGrant < TimeAdminPromo\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Admin promotion after Role Management Application Permission Grant",
+ "enabled": false,
+ "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "f80d951a-eddc-4171-b9d0-d616bb83efdc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 43d2b455e14c10cf2e53111374d616c821afb240 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:20 +0000
Subject: [PATCH 022/375] Exported file: Alert for IOCs related to Windows_ELF
malware - IP, Hash IOCs - September 2021.json.json
---
...ware - IP, Hash IOCs - September 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
diff --git a/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
new file mode 100644
index 00000000..2fbc7ec6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName in (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\nReference: \nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar",
+ "alertRuleTemplateName": "d992b87b-eb49-4a9d-aa96-baacf9d26247"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6b75937ffb603c70959eae98a2d0477608bb9172 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:21 +0000
Subject: [PATCH 023/375] Exported file: Alsid Active Directory attacks
pathways.json.json
---
...sid Active Directory attacks pathways.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
new file mode 100644
index 00000000..892797cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Active Directory attacks pathways",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways",
+ "alertRuleTemplateName": "9649e203-3cb7-47ff-89a9-42f2a5eefe31"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2b6b19e36d7f54eec824ac7ecd173ce1cf21e570 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:21 +0000
Subject: [PATCH 024/375] Exported file: Alsid DCShadow.json.json
---
.../Alsid DCShadow.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCShadow.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCShadow.json b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
new file mode 100644
index 00000000..177269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCShadow\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCShadow",
+ "enabled": false,
+ "description": "Searches for DCShadow attacks",
+ "alertRuleTemplateName": "25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7babaf20c67e65decb48be477b98afec75aea8b2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:22 +0000
Subject: [PATCH 025/375] Exported file: Alsid DCSync.json.json
---
.../Alsid DCSync.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCSync.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCSync.json b/SentinelExported-AnalyticsRule/Alsid DCSync.json
new file mode 100644
index 00000000..9b75999f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCSync.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCSync\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCSync",
+ "enabled": false,
+ "description": "Searches for DCSync attacks",
+ "alertRuleTemplateName": "d3c658bd-8da9-4372-82e4-aaffa922f428"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cc5f1387386b85a56702971dfa721c2dadac2e3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:23 +0000
Subject: [PATCH 026/375] Exported file: Alsid Golden Ticket.json.json
---
.../Alsid Golden Ticket.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
new file mode 100644
index 00000000..605710d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Golden Ticket\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Golden Ticket",
+ "enabled": false,
+ "description": "Searches for Golden Ticket attacks",
+ "alertRuleTemplateName": "21ab3f52-6d79-47e3-97f8-ad65f2cb29fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f9a9207059fdf5126d00269a546cea182e7298f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:24 +0000
Subject: [PATCH 027/375] Exported file: Alsid Indicators of Attack.json.json
---
.../Alsid Indicators of Attack.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
new file mode 100644
index 00000000..eabbaa2e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 2\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Attack",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Attack",
+ "alertRuleTemplateName": "3caa67ef-8ed3-4ab5-baf2-3850d3667f3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0c04bb14fce20472f28a5df1eed7f58ae2c45a5a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:25 +0000
Subject: [PATCH 028/375] Exported file: Alsid Indicators of
Exposures.json.json
---
.../Alsid Indicators of Exposures.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
new file mode 100644
index 00000000..a3fa8625
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Exposures",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures",
+ "alertRuleTemplateName": "154fde9f-ae00-4422-a8da-ef00b11da3fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d6db5ebd727a384aad26958c422a8af901cb3869 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:26 +0000
Subject: [PATCH 029/375] Exported file: Alsid LSASS Memory.json.json
---
.../Alsid LSASS Memory.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
diff --git a/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
new file mode 100644
index 00000000..60c47531
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid LSASS Memory",
+ "enabled": false,
+ "description": "Searches for OS Credentials dumping attacks",
+ "alertRuleTemplateName": "3acf5617-7c41-4085-9a79-cc3a425ba83a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c1776339dfcef8034f2b6d408e2c51b7c2a1fff3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:27 +0000
Subject: [PATCH 030/375] Exported file: Alsid Password Guessing.json.json
---
.../Alsid Password Guessing.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Guessing.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Guessing.json b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
new file mode 100644
index 00000000..02fbf5c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Guessing",
+ "enabled": false,
+ "description": "Searches for bruteforce Password Guessing attacks",
+ "alertRuleTemplateName": "ba239935-42c2-472d-80ba-689186099ea1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5ec68b37d2e114d25f4561eff62b0dd140b2c729 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:27 +0000
Subject: [PATCH 031/375] Exported file: Alsid Password Spraying.json.json
---
.../Alsid Password Spraying.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Spraying.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Spraying.json b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
new file mode 100644
index 00000000..a72493ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Spraying",
+ "enabled": false,
+ "description": "Searches for Password spraying attacks",
+ "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 37c55e2ec640f2763eed4df1879ec0c36c46e41b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:28 +0000
Subject: [PATCH 032/375] Exported file: Alsid Password issues.json.json
---
.../Alsid Password issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password issues.json b/SentinelExported-AnalyticsRule/Alsid Password issues.json
new file mode 100644
index 00000000..e0ebdc4d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to password issues",
+ "alertRuleTemplateName": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 320943beeb12094cc300b09da2c2e918700a781b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:29 +0000
Subject: [PATCH 033/375] Exported file: Alsid privileged accounts
issues.json.json
---
.../Alsid privileged accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
new file mode 100644
index 00000000..41c05802
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid privileged accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to privileged accounts issues",
+ "alertRuleTemplateName": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8c2e1d0caadc136ee01594b2da8732eaf8114805 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:30 +0000
Subject: [PATCH 034/375] Exported file: Alsid user accounts issues.json.json
---
.../Alsid user accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid user accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid user accounts issues.json b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
new file mode 100644
index 00000000..07a811e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid user accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to user accounts issues",
+ "alertRuleTemplateName": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 49e83cf8c1bab5e7acdf78c1daab5867d83533af Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:30 +0000
Subject: [PATCH 035/375] Exported file: Anomalous User Agent connection
attempt.json.json
---
...omalous User Agent connection attempt.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
new file mode 100644
index 00000000..1eb976f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2397090-face-41f6-ae70-89fc66312292')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2397090-face-41f6-ae70-89fc66312292')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold = 100;\nW3CIISLog \n// Exclude local IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous User Agent connection attempt",
+ "enabled": false,
+ "description": "Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.",
+ "alertRuleTemplateName": "f845881e-2500-44dc-8ed7-b372af3e1e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f0fbe54c425491cbf720bfe13166dead91341143 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:31 +0000
Subject: [PATCH 036/375] Exported file: Anomalous login followed by Teams
action.json.json
---
...malous login followed by Teams action.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
new file mode 100644
index 00000000..e49e899e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\n//The minimum number of countries that the account has been accessed from [default: 2]\nlet minimumCountries = 2;\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\nlet deltaThreshold = 95;\n//The maximum (%) threshold that the country appears in login data [default: 10]\nlet countryPrevalenceThreshold = 10;\n//The time to project forward after the last login activity [default: 60min]\nlet projectedEndTime = 60min; \n//Get Teams successful signins globally\nlet aadFunc = (tableName:string){\nlet signinData =\n table(tableName)\n | where AppDisplayName has \"Teams\"\n | where ConditionalAccessStatus =~ \"success\"\n | extend country = tostring(todynamic(LocationDetails)['countryOrRegion'])\n | where isnotempty(country) and isnotempty(IPAddress);\n// Collect successful signins to teams\nlet loginEvents = \n signinData\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\n//Calcualte delta between logins\nlet loginDelta =\n loginEvents\n | summarize max(count_), min(count_) by UserPrincipalName\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\n | where delta >= deltaThreshold;\n//Count number of countries used to sign in\nlet countryCount =\n loginEvents\n | summarize Countries = dcount(country) by UserPrincipalName;\n//Join delta and sign in counts to successful logins\nloginDelta\n| join kind=rightouter (\n loginEvents\n) on UserPrincipalName\n| join kind=rightouter (\n countryCount\n) on UserPrincipalName\n//Check where the record meets the minimum required countries\n| where Countries >= minimumCountries\n| join kind=leftouter (\n signinData\n | summarize count() by country\n | join (\n //Now get the total number of logins from any country and join it to the previous count in a single table\n signinData\n | summarize count() by country\n | summarize sum(count_), make_list(country)\n | mv-expand list_country\n | extend country = tostring(list_country)\n ) on country\n | summarize by country, count_, sum_count_\n //Now calculate each countries prevalence within login events\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\n | project-away sum_count_\n | order by prevalence\n) on country\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\n| where prevalence < countryPrevalenceThreshold\n| where min_count_ == count_\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\n| extend EventTimes = list_TimeGenerated\n| extend SuspiciousIP = IPAddress\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\n//Teams join to collect operations the user account has performed within the given time range\n| join kind=inner( \n OfficeActivity\n | where Operation in~ (\"TeamsAdminAction\", \"MemberAdded\", \"MemberRemoved\", \"MemberRoleChanged\", \"AppInstalled\", \"BotAddedToTeam\")\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\n) on $left.UserPrincipalName == $right.UserId\n| mv-expand StartTime = EventTimes\n| extend StartTime = make_datetime(StartTime)\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\n//Limit to operations carried out by the user account in the timeframe the IP was active\n| where OperationTime between (StartTime .. ProjectedEndTime)\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n//Filter on suspicious actions\n| extend activitySummary = pack(tostring(StartTime), pack(\"Operation\",tostring(Operation), \"OperationTime\", OperationTime))\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous login followed by Teams action",
+ "enabled": false,
+ "description": "Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.",
+ "alertRuleTemplateName": "2b701288-b428-4fb8-805e-e4372c574786"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 02ab18af00715568e64bf92ce76eddb1f21a812a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:32 +0000
Subject: [PATCH 037/375] Exported file: Anomalous sign-in location by user
account and authenticating application.json.json
---
...ccount and authenticating application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
new file mode 100644
index 00000000..53c03dd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet lookBack_long = 7d;\nlet lookBack_med = 3d;\nlet lookBack = 1d;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_long))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n// Create time series \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \nby UserPrincipalName, AppDisplayName \n// Compute best fit line for each entry \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \n// Chart the 3 most interesting lines \n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\n| where Slope > 0.3\n| top 50 by Slope desc\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_med))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 0.3\n| top 50 by Slope desc\n) on UserPrincipalName, AppDisplayName\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 5\n| top 50 by Slope desc\n// Higher threshold requirement on last day anomaly\n) on UserPrincipalName, AppDisplayName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous sign-in location by user account and authenticating application",
+ "enabled": false,
+ "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \nDirectory application and picks out the most anomalous change in location profile for a user within an \nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\nover last day but also over the last 3-day and 7-day periods.\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\nIt is recommended that you test and tune this appropriately for the workspace.",
+ "alertRuleTemplateName": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4e0a51383571812860970a6499115745cfcafbc6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:33 +0000
Subject: [PATCH 038/375] Exported file: AppServices AV Scan Failure.json.json
---
.../AppServices AV Scan Failure.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
new file mode 100644
index 00000000..9b8ca0c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where ScanStatus == \"Failed\"\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan Failure",
+ "enabled": false,
+ "description": "Identifies if an AV scan fails in Azure App Services.",
+ "alertRuleTemplateName": "c2da1106-bfe4-4a63-bf14-5ab73130ccd5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 36a51311fb9d8c148f682cbb819d41b670914867 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:34 +0000
Subject: [PATCH 039/375] Exported file: AppServices AV Scan with Infected
Files.json.json
---
...pServices AV Scan with Infected Files.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
new file mode 100644
index 00000000..798f4b14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan with Infected Files",
+ "enabled": false,
+ "description": "Identifies if an AV scan finds infected files in Azure App Services.",
+ "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0884492869f7b34d01e473d9854148b023f68e20 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:34 +0000
Subject: [PATCH 040/375] Exported file: Attempt to bypass conditional access
rule in Azure AD.json.json
---
...s conditional access rule in Azure AD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
new file mode 100644
index 00000000..a5d22d05
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Attempt to bypass conditional access rule in Azure AD",
+ "enabled": false,
+ "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences: \nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
+ "alertRuleTemplateName": "3af9285d-bb98-4a35-ad29-5ea39ba0c628"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bf768adc27d3a527ebb8e426532c2af4c5d9e3bc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:35 +0000
Subject: [PATCH 041/375] Exported file: Attempts to sign in to disabled
accounts.json.json
---
...empts to sign in to disabled accounts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
new file mode 100644
index 00000000..38093f5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Attempts to sign in to disabled accounts",
+ "enabled": false,
+ "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd8cf4c3bd7f22162a0f6219e4055040efa2d0cb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:36 +0000
Subject: [PATCH 042/375] Exported file: Audit policy manipulation using
auditpol utility.json.json
---
...y manipulation using auditpol utility.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
diff --git a/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
new file mode 100644
index 00000000..9a038cca
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet AccountAllowList = dynamic(['SYSTEM']);\nlet SubCategoryList = dynamic([\"Logoff\", \"Account Lockout\", \"User Account Management\", \"Authorization Policy Change\"]); // Add any Category in the list to be allowed or disallowed\nlet tokens = dynamic([\"clear\", \"remove\", \"success:disable\",\"failure:disable\"]); \n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n//| where Process =~ \"auditpol.exe\" \n| where CommandLine has_any (tokens)\n| where AccountType !~ \"Machine\" and Account !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n// | where InitiatingProcessFileName =~ \"auditpol.exe\" \n| where InitiatingProcessCommandLine has_any (tokens)\n| where AccountName !in~ (AccountAllowList)\n| parse InitiatingProcessCommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n// | where OriginalFileName =~ \"auditpol.exe\"\n| where CommandLine has_any (tokens)\n| where User !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Audit policy manipulation using auditpol utility",
+ "enabled": false,
+ "description": "This detects attempt to manipulate audit policies using auditpol command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \nif the results show unrelated false positives, users may want to uncomment it.\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \nRefer to our M365 blog for details on use during the Solorigate attack:\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "alertRuleTemplateName": "66276b14-32c5-4226-88e3-080dacc31ce1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 88911b1815b2e5746adabb56776a842102d7e86a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:37 +0000
Subject: [PATCH 043/375] Exported file: Authentication Methods Changed for
Privileged Account.json.json
---
...ethods Changed for Privileged Account.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
diff --git a/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
new file mode 100644
index 00000000..2a146d8f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles matches regex 'Admin'\n | summarize by tolower(AccountUPN));\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName =~ \"User registered security info\"\n| where LoggedByService =~ \"Authentication Methods\"\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(InitiatedBy.user.ipAddress)\n| where AccountCustomEntity in (VIPUsers)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Authentication Methods Changed for Privileged Account",
+ "enabled": false,
+ "description": "Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "694c91ee-d606-4ba9-928e-405a2dd0ff0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cf2f00ba750e123cb175ba3dc65146be23f1b127 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:37 +0000
Subject: [PATCH 044/375] Exported file: Azure AD Health Monitoring Agent
Registry Keys Access.json.json
---
...Monitoring Agent Registry Keys Access.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
new file mode 100644
index 00000000..dbd3607b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealth Monitoring Agent Registry Key\nlet aadHealthMonAgentRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n| summarize count() by ProcessName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Monitoring Agent Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\n",
+ "alertRuleTemplateName": "f819c592-c5f9-4d5c-a79f-1e6819863533"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 43342898bbc55453bd30017abca1d5ecf3c1d700 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:38 +0000
Subject: [PATCH 045/375] Exported file: Azure AD Health Service Agents
Registry Keys Access.json.json
---
...h Service Agents Registry Keys Access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
new file mode 100644
index 00000000..2e4c50df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealthAgent Registry Key\nlet aadConnectHealthRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Service Agents Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\n",
+ "alertRuleTemplateName": "06bbf969-fcbe-43fa-bac2-b2fa131d113a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 390f7c682ade00978597f248a4ede8bdc909fc15 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:39 +0000
Subject: [PATCH 046/375] Exported file: Azure AD Role Management Permission
Grant.json.json
---
...e AD Role Management Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
new file mode 100644
index 00000000..0754cfd5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ has_any (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where Permission has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = iif(displayName_ =~ 'DelegatedPermissionGrant.Scope',\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Role Management Permission Grant",
+ "enabled": false,
+ "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "1ff56009-db01-4615-8211-d4fda21da02d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7090307fa1b1d87a7fe2d4a2b982cf12ac27c6ba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:40 +0000
Subject: [PATCH 047/375] Exported file: Azure Active Directory Hybrid Health
AD FS New Server.json.json
---
...ectory Hybrid Health AD FS New Server.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
new file mode 100644
index 00000000..29761afb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS New Server",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "88f453ff-7b9e-45bb-8c12-4058ca5e44ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bee3983375f039b1e89a5be6f8deca25b7dae29e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:40 +0000
Subject: [PATCH 048/375] Exported file: Azure Active Directory Hybrid Health
AD FS Service Delete.json.json
---
...ry Hybrid Health AD FS Service Delete.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
new file mode 100644
index 00000000..7426686e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2e2d8773554c4aa9c0d6a78167d3e773f9c20989 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:41 +0000
Subject: [PATCH 049/375] Exported file: Azure Active Directory Hybrid Health
AD FS Suspicious Application.json.json
---
...d Health AD FS Suspicious Application.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
new file mode 100644
index 00000000..1fad03c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\nlet appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\nlet operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\nAzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue in~ (operationNamesList)\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| where AppId !in (appList)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Suspicious Application",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.",
+ "alertRuleTemplateName": "d9938c3b-16f9-444d-bc22-ea9a9110e0fd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f9e5c84188bee24dbb0abd135f191dd20ec7500 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:42 +0000
Subject: [PATCH 050/375] Exported file: Azure Active Directory PowerShell
accessing non-AAD resources.json.json
---
...owerShell accessing non-AAD resources.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
new file mode 100644
index 00000000..482dc022
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+ "enabled": false,
+ "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
+ "alertRuleTemplateName": "50574fac-f8d1-4395-81c7-78a463ff0c52"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0acd64c623451a3b3128f765ae0c5d1501870992 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:43 +0000
Subject: [PATCH 051/375] Exported file: Azure DevOps Administrator Group
Monitoring.json.json
---
...DevOps Administrator Group Monitoring.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
new file mode 100644
index 00000000..381cb64c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT4H",
+ "queryPeriod": "PT4H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// Change to true to monitor for Project Administrator adds to *any* project\nlet MonitorAllProjects = false;\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\nlet ProjectsToMonitor = dynamic(['','']);\nAzureDevOpsAuditing\n| where Area == \"Group\" and OperationName == \"Group.UpdateGroupMembership.Add\"\n| where Details has 'Administrators'\n| where Details has \"was added as a member of group\" and (Details endswith '\\\\Project Administrators' or Details endswith '\\\\Project Collection Administrators')\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\' GroupName\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Administrator Group Monitoring",
+ "enabled": false,
+ "description": "This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.",
+ "alertRuleTemplateName": "89e6adbd-612c-4fbe-bc3d-32f81baf3b6c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8d11fb74a9f48ee167ef42eb9dfbd1087e11e7f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:44 +0000
Subject: [PATCH 052/375] Exported file: Azure DevOps Agent Pool Created Then
Deleted.json.json
---
...evOps Agent Pool Created Then Deleted.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
new file mode 100644
index 00000000..7daf66d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let lookback = 14d;\nlet timewindow = 7d;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolCreated\"\n| extend AgentCloudId = tostring(Data.AgentCloudId)\n| extend PoolType = iif(isnotempty(AgentCloudId), \"Azure VMs\", \"Self Hosted\")\n// Comment this line out to include cloud pools as well\n| where PoolType == \"Self Hosted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend IsHosted = tostring(Data.IsHosted)\n| extend IsLegacy = tostring(Data.IsLegacy)\n| extend timekey = bin(TimeGenerated, timewindow)\n// Join only with pools deleted in the same window\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolDeleted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Agent Pool Created Then Deleted",
+ "enabled": false,
+ "description": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.",
+ "alertRuleTemplateName": "acfdee3f-b794-404a-aeba-ef6a1fa08ad1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bbe90b626bab162acbfbc1fe17f6d4c00a563070 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:45 +0000
Subject: [PATCH 053/375] Exported file: Azure DevOps Audit Stream
Disabled.json.json
---
.../Azure DevOps Audit Stream Disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
new file mode 100644
index 00000000..cb3e0d9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"AuditLog.StreamDisabledByUser\"\n| extend StreamType = tostring(Data.ConsumerType)\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Audit Stream Disabled",
+ "enabled": false,
+ "description": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate.",
+ "alertRuleTemplateName": "4e8238bd-ff4f-4126-a9f6-09b3b6801b3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6691f04fd0d0a52627b027cacc381d3321033456 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:45 +0000
Subject: [PATCH 054/375] Exported file: Azure DevOps Build Variable Modified
by New User_.json.json
---
... Build Variable Modified by New User_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
new file mode 100644
index 00000000..75675e69
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/10254512-df08-4fea-8619-c505e87d377b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/10254512-df08-4fea-8619-c505e87d377b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet historical_data =\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend variables = Data.Variables\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| project UserKey;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| where UserKey !in (historical_data)\n| project-away UserKey\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Build Variable Modified by New User.",
+ "enabled": false,
+ "description": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \nmodifying them before.",
+ "alertRuleTemplateName": "3b9a44d7-c651-45ed-816c-eae583a6f2f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c838838065ca765d3763f796a4d5c5120eb53199 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:46 +0000
Subject: [PATCH 055/375] Exported file: Azure DevOps New Extension
Added.json.json
---
.../Azure DevOps New Extension Added.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
new file mode 100644
index 00000000..3b224b1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let allowed_publishers = dynamic([]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Extension.Installed\"\n| extend ExtensionName = tostring(Data.ExtensionName)\n| extend PublisherName = tostring(Data.PublisherName)\n| where PublisherName !in (allowed_publishers)\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps New Extension Added",
+ "enabled": false,
+ "description": "Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \nThis query looks for new extensions that are not from a configurable list of approved publishers.",
+ "alertRuleTemplateName": "bf07ca9c-e408-443a-8939-6860a45a929e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 80b158dd07a38855b8354af9b2d7ce2ccd0122e9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:47 +0000
Subject: [PATCH 056/375] Exported file: Azure DevOps PAT used with
Browser_.json.json
---
.../Azure DevOps PAT used with Browser_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
new file mode 100644
index 00000000..f3e7ef1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\"\n// Look for useragents that include a redenring engine\n| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps PAT used with Browser.",
+ "enabled": false,
+ "description": "Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.",
+ "alertRuleTemplateName": "5f0d80db-3415-4265-9d52-8466b7372e3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d76b5451d62231c8cadf7c518e6812ebc09b1dc7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:48 +0000
Subject: [PATCH 057/375] Exported file: Azure DevOps Personal Access Token
(PAT) misuse.json.json
---
...ps Personal Access Token (PAT) misuse.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
new file mode 100644
index 00000000..e5f4bec3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n// Allowlisted UPNs should likely stay empty\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\n// Operation Name parts that will alert\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\n// Distinct Operation Names that will flag\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\nAzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\n and ActorUPN !in (AllowlistedUpns)\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Personal Access Token (PAT) misuse",
+ "enabled": false,
+ "description": "This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\nUse this query for baselining:\nAzureDevOpsAuditing\n| distinct OperationName",
+ "alertRuleTemplateName": "ac891683-53c3-4f86-86b4-c361708e2b2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c8c15598814f218471c1c116abcf3b557a7f8051 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:48 +0000
Subject: [PATCH 058/375] Exported file: Azure DevOps Pipeline Created and
Deleted on the Same Day.json.json
---
...e Created and Deleted on the Same Day.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
new file mode 100644
index 00000000..751b6ae4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P3D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 3d;\n// Get Release Pipeline Creation Events and group by day\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineCreated\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some columns to make output clearer\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineDeleted\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some things to make the output clearer\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline Created and Deleted on the Same Day",
+ "enabled": false,
+ "description": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.",
+ "alertRuleTemplateName": "17f23fbe-bb73-4324-8ecf-a18545a5dc26"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6a169720a6b0cfd9ba8aa2d931bf8349b08b1a79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:49 +0000
Subject: [PATCH 059/375] Exported file: Azure DevOps Pipeline modified by a
new user_.json.json
---
...vOps Pipeline modified by a new user_.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
new file mode 100644
index 00000000..9b968c7a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Set the lookback to determine if user has created pipelines before\nlet timeback = 14d;\n// Set the period for detections\nlet timeframe = 1d;\n// Get a list of previous Release Pipeline creators to exclude\nlet releaseusers = AzureDevOpsAuditing\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\n| where OperationName in (\"Release.ReleasePipelineCreated\", \"Release.ReleasePipelineModified\")\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| summarize by UserScope;\n// Get Release Pipeline creations by new users\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineModified\"\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| where UserScope !in (releaseusers)\n| extend ActorUPN = tolower(ActorUPN)\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\n| join kind = leftouter (\nSecurityAlert\n| where TimeGenerated > ago(timeframe)\n| where ProviderName == \"IPC\"\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\n// Uncomment the line below to only show results where the user as AADIdP alerts\n//| where Alerts > 0\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline modified by a new user.",
+ "enabled": false,
+ "description": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.",
+ "alertRuleTemplateName": "155e9134-d5ad-4a6f-88f3-99c220040b66"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6b5b80a24632c14c39e9be40e18e87a52cdd4cdf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:50 +0000
Subject: [PATCH 060/375] Exported file: Azure DevOps Pull Request Policy
Bypassing - Historic allow list.json.json
---
...olicy Bypassing - Historic allow list.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
new file mode 100644
index 00000000..fa73bd4c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\nlet historicBypassers = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| parse ScopeDisplayName with OrganizationName '(Organization)'\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pull Request Policy Bypassing - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.",
+ "alertRuleTemplateName": "4d8de9e6-263e-4845-8618-cd23a4f58b70"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bb513467f7fa68a94e40274db5ed0d44193fffa0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:51 +0000
Subject: [PATCH 061/375] Exported file: Azure DevOps Retention
Reduced.json.json
---
.../Azure DevOps Retention Reduced.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
new file mode 100644
index 00000000..1567aab0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Pipelines.PipelineRetentionSettingChanged\"\n| where Data.SettingName in (\"PurgeArtifacts\", \"PurgeRuns\")\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Retention Reduced",
+ "enabled": false,
+ "description": "AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.",
+ "alertRuleTemplateName": "71d374e0-1cf8-4e50-aecd-ab6c519795c2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 51c09bdc7c385b238b0a891e43d2b9bba4e618b4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:51 +0000
Subject: [PATCH 062/375] Exported file: Azure DevOps Service Connection
Abuse.json.json
---
...Azure DevOps Service Connection Abuse.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
new file mode 100644
index 00000000..40ce7976
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// How many greater than Service Connections you want to view per build/release\nlet ServiceConnectionThreshold = 4;\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nAzureDevOpsAuditing\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\n| where CurrentCount > ServiceConnectionThreshold\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iif(\n Type == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Abuse",
+ "enabled": false,
+ "description": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \nor dump credentials from service connections.",
+ "alertRuleTemplateName": "d564ff12-8f53-41b8-8649-44f76b37b99f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db36cf83b577b994e441ad4379a739755b5ab588 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:52 +0000
Subject: [PATCH 063/375] Exported file: Azure DevOps Service Connection
Addition_Abuse - Historic allow list.json.json
---
... Addition_Abuse - Historic allow list.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
new file mode 100644
index 00000000..9bd1181b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 6h;\n// Ignore Build/Releases with less/equal this number\nlet ServiceConnectionThreshold = 3;\n// New Connections need to exhibit execution of more \"new\" connections than this number.\nlet NewConnectionThreshold = 1;\n// List of Builds/Releases to ignore in your space\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nlet HistoricDefs = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\n| where CurrentCount > ServiceConnectionThreshold\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iff(\nType == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Addition/Abuse - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.",
+ "alertRuleTemplateName": "5efb0cfd-063d-417a-803b-562eae5b0301"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69085b0dfcc03aebcd00d3613770624d37445971 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:53 +0000
Subject: [PATCH 064/375] Exported file: Azure DevOps Variable Secret Not
Secured.json.json
---
...re DevOps Variable Secret Not Secured.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
new file mode 100644
index 00000000..dd7a369c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let keywords = dynamic([\"secret\", \"secrets\", \"password\", \"PAT\", \"passwd\", \"pswd\", \"pwd\", \"cred\", \"creds\", \"credentials\", \"credential\", \"key\"]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend Type = tostring(Data.Type)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| mv-expand Data.Variables\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\n| where Type != \"AzureKeyVault\"\n| where Data_Variables !has \"IsSecret\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Variable Secret Not Secured",
+ "enabled": false,
+ "description": "Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.",
+ "alertRuleTemplateName": "4ca74dc0-8352-4ac5-893c-73571cc78331"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b10c2e7635c75a8852ac606c1e57606c358dc68 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:54 +0000
Subject: [PATCH 065/375] Exported file: Azure Key Vault access TimeSeries
anomaly.json.json
---
...e Key Vault access TimeSeries anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
new file mode 100644
index 00000000..e77da8f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\n) on Resource, TimeGenerated\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Key Vault access TimeSeries anomaly",
+ "enabled": false,
+ "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+ "alertRuleTemplateName": "0914adab-90b5-47a3-a79f-7cdcac843aa7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff8e4d642d0caa0475e0591c8497b7592cd79230 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:55 +0000
Subject: [PATCH 066/375] Exported file: Azure Portal Signin from another Azure
Tenant.json.json
---
...rtal Signin from another Azure Tenant.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
diff --git a/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
new file mode 100644
index 00000000..7904a727
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211129.json\"]\nwith(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes);\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where AppDisplayName =~ \"Azure Portal\"\n// Only get logons where the IP address is in an Azure range\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == TenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Portal Signin from another Azure Tenant",
+ "enabled": false,
+ "description": "This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
+ "alertRuleTemplateName": "87210ca1-49a4-4a7d-bb4a-4988752f978c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 30f3cd56d59a78be02ce9626105a50e3d84ee7da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:55 +0000
Subject: [PATCH 067/375] Exported file: Azure VM Run Command operation
executed during suspicious login window.json.json
---
...ecuted during suspicious login window.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
new file mode 100644
index 00000000..49ff5bff
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n// Create a join key using the Caller (UPN)\n| extend joinkey = tolower(Caller)\n// Join the Run Command actions to UEBA data\n| join kind = inner (\n BehaviorAnalytics\n // We are specifically interested in unusual logins\n | where EventSource == \"Azure AD\" and ActivityInsights.ActionUncommonlyPerformedByUser == \"True\"\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\n | extend joinkey = tolower(UserPrincipalName)\n) on joinkey\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operation executed during suspicious login window",
+ "enabled": false,
+ "description": "Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \nthat has resulted in a recent user entity behaviour alert.",
+ "alertRuleTemplateName": "11bda520-a965-4654-9a45-d09f372f71aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b258764e615e920730a92a1e437f26d0fab23875 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:56 +0000
Subject: [PATCH 068/375] Exported file: Azure VM Run Command operations
executing a unique powershell script.json.json
---
... executing a unique powershell script.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
new file mode 100644
index 00000000..62fc74a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let RunCommandData = materialize ( AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n| join kind=leftouter (\n DeviceFileEvents\n | where InitiatingProcessFileName == \"RunCommandExtension.exe\"\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\n) on VirtualMachineName\n// We need to filter by time sadly, this is the only way to link events\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\n| join kind=inner(\n DeviceEvents\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | where InitiatingProcessCommandLine has \"-File\"\n // Extract the script name based on the structure used by the RunCommand extension\n | extend PowershellFileName = extract(@\"\\-File\\s(script[0-9]{1,9}\\.ps1)\", 1, InitiatingProcessCommandLine)\n // Discard results that didn't successfully extract, these are not run command related\n | where isnotempty(PowershellFileName)\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\n | where PSCommand != PowershellFileName \n // Now we normalise the cmdlets, we're aiming to hash them to find scripts using rare combinations\n | extend PSCommand = toupper(PSCommand)\n | order by PSCommand asc\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\n) on $left.FileName == $right.PowershellFileName\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\n| order by StartTime asc \n// We generate the hash based on the cmdlets called and the size of the powershell script\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\nlet totals = toscalar (RunCommandData\n| summarize count());\nlet hashTotals = RunCommandData\n| summarize HashCount=count() by ScriptFingerprintHash;\nRunCommandData\n| join kind=leftouter (\nhashTotals\n) on ScriptFingerprintHash\n// Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\n// Where the hash was only ever seen once.\n| where HashCount == 1\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operations executing a unique powershell script",
+ "enabled": false,
+ "description": "Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\nin your environment.",
+ "alertRuleTemplateName": "5239248b-abfb-4c6a-8177-b104ade5db56"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a70fe682667fcb163e6b94e44452b01a59073b37 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:57 +0000
Subject: [PATCH 069/375] Exported file: Azure WAF matching for Log4j
vuln(CVE-2021-44228).json.json
---
...tching for Log4j vuln(CVE-2021-44228).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
diff --git a/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
new file mode 100644
index 00000000..4e56f2fd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDiagnostics\n| where details_data_s has \"jndi:\"\n| parse details_data_s with * '${' MaliciousCommand '}' *\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)",
+ "enabled": false,
+ "description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/",
+ "alertRuleTemplateName": "2de8abd6-a613-450e-95ed-08e503369fb3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7031f044abf1068f0f144eda46c573205b5ff3ce Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:58 +0000
Subject: [PATCH 070/375] Exported file: Base64 encoded Windows process
command-lines (Normalized Process Events).json.json
---
...and-lines (Normalized Process Events).json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
new file mode 100644
index 00000000..7ceaecf7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n | where isnotempty(Process)\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7dc0b6ec1a955d20c1f433e7ffd4654300ee9db1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:59 +0000
Subject: [PATCH 071/375] Exported file: Base64 encoded Windows process
command-lines.json.json
---
...encoded Windows process command-lines.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
new file mode 100644
index 00000000..e07eee3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.",
+ "alertRuleTemplateName": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 366fea95f01cb06bd139335eead23b0a8665bf66 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:15:59 +0000
Subject: [PATCH 072/375] Exported file: Brute Force Attack against GitHub
Account.json.json
---
...e Force Attack against GitHub Account.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
diff --git a/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
new file mode 100644
index 00000000..eebc9526
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\nlet GitHubFailedSSOLogins = (table(tableName) \n| where AppDisplayName == \"GitHub.com\" \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \n| join kind=innerunique ( \n GitHubFailedSSOLogins \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute Force Attack against GitHub Account",
+ "enabled": false,
+ "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
+ "alertRuleTemplateName": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0824e9848b20deb050acfa81f8dc4847675bbbbf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:00 +0000
Subject: [PATCH 073/375] Exported file: Brute force attack against Azure
Portal.json.json
---
...ute force attack against Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
new file mode 100644
index 00000000..7c751939
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| where AppDisplayName has \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against Azure Portal",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "28b42356-45af-40a6-a0b4-a554cdfd5d8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From df43cc1e78ea8e79fe131c36ad0b7b62d7a38fb7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:01 +0000
Subject: [PATCH 074/375] Exported file: Brute force attack against a Cloud
PC.json.json
---
...Brute force attack against a Cloud PC.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
new file mode 100644
index 00000000..0535916e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nSigninLogs\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| where AppDisplayName =~ \"Windows Sign In\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against a Cloud PC",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
+ "alertRuleTemplateName": "3fbc20a4-04c4-464e-8fcb-6667f53e4987"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6dc594b4488ad2505fb11979b4b9d8894ebef868 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:02 +0000
Subject: [PATCH 075/375] Exported file: Brute force attack against user
credentials (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
new file mode 100644
index 00000000..981a8c70
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nimAuthentication\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\n , FailureCount = countif(EventResult=='Failure')\n , SuccessCount = countif(EventResult=='Success') \n // might be improved by counting FailReason:Outdated as Success.\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a user highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5268ef9adc70aa913d64446ea36dcad5aa71d000 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:03 +0000
Subject: [PATCH 076/375] Exported file: Bulk Changes to Privileged Account
Permissions.json.json
---
...ges to Privileged Account Permissions.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
diff --git a/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
new file mode 100644
index 00000000..18bc8b11
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Bulk Changes to Privileged Account Permissions",
+ "enabled": false,
+ "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "218f60de-c269-457a-b882-9966632b9dc6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6e4e3aa8f16c5fe46f5659c6cc3deae32cf3f4cf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:04 +0000
Subject: [PATCH 077/375] Exported file: CAC Bugbash_ Valid Analytics Rule
2.json.json
---
.../CAC Bugbash_ Valid Analytics Rule 2.json | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
diff --git a/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
new file mode 100644
index 00000000..9a34a1d6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
@@ -0,0 +1,28 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "MicrosoftSecurityIncidentCreation",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "productFilter": "Microsoft 365 Insider Risk Management",
+ "severitiesFilter": null,
+ "displayNamesFilter": null,
+ "displayNamesExcludeFilter": null,
+ "displayName": "CAC Bugbash: Valid Analytics Rule 2",
+ "enabled": true,
+ "description": "Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From a194a5ab51d844dc1aea0f4b6c0a079c5e7b6c6b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:04 +0000
Subject: [PATCH 078/375] Exported file: Changes made to AWS CloudTrail
logs.json.json
---
.../Changes made to AWS CloudTrail logs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
diff --git a/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
new file mode 100644
index 00000000..9119d665
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"UpdateTrail\",\"DeleteTrail\",\"StopLogging\",\"DeleteFlowLogs\",\"DeleteEventBus\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Changes made to AWS CloudTrail logs",
+ "enabled": false,
+ "description": "Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ",
+ "alertRuleTemplateName": "610d3850-c26f-4f20-8d86-f10fdf2425f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e8a9e0ce905a6023134c4b5519127e7f242a87c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:05 +0000
Subject: [PATCH 079/375] Exported file: Changes to AWS Elastic Load Balancer
security groups.json.json
---
...Elastic Load Balancer security groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
new file mode 100644
index 00000000..2e040b09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Elastic Load Balancer security groups",
+ "enabled": false,
+ "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/.",
+ "alertRuleTemplateName": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1aa2e5076f7449c8614cdbc8135f01147d44cd8d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:06 +0000
Subject: [PATCH 080/375] Exported file: Changes to AWS Security Group ingress
and egress settings.json.json
---
...ity Group ingress and egress settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
new file mode 100644
index 00000000..71c08bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Security Group ingress and egress settings",
+ "enabled": false,
+ "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.",
+ "alertRuleTemplateName": "4f19d4e3-ec5f-4abc-9e61-819eb131758c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 467eac4016ecb61e9c74c836547f1be66f4d9b26 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:06 +0000
Subject: [PATCH 081/375] Exported file: Changes to Amazon VPC
settings.json.json
---
.../Changes to Amazon VPC settings.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
new file mode 100644
index 00000000..087b4a2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation",
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Changes to Amazon VPC settings",
+ "enabled": false,
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "alertRuleTemplateName": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38c19ceba986a5a3ab0981b86af251a0dd1bf682 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:07 +0000
Subject: [PATCH 082/375] Exported file: Changes to internet facing AWS RDS
Database instances.json.json
---
...net facing AWS RDS Database instances.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
diff --git a/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
new file mode 100644
index 00000000..7abccb3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to internet facing AWS RDS Database instances",
+ "enabled": false,
+ "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "8c2ef238-67a0-497d-b1dd-5c8a0f533e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8d17363a3f6576a5aa76a3d3a958143287c1c25f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:08 +0000
Subject: [PATCH 083/375] Exported file: Chia_Crypto_Mining - Domain, Process,
Hash and IP IOCs - June 2021.json.json
---
...Process, Hash and IP IOCs - June 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
diff --git a/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
new file mode 100644
index 00000000..6fd88e78
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Chia crypto IOC detected', Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = 'Chia crypto IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlertDetail = 'Chia crypto IOC detected', FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
+ "alertRuleTemplateName": "595a10c9-91be-4abb-bbc7-ae9c57848bef"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 215c87a1e08abd17d95902cebfccf7538e8b6fd8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:09 +0000
Subject: [PATCH 084/375] Exported file: Cisco - firewall block but success
logon to Azure AD.json.json
---
...l block but success logon to Azure AD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
new file mode 100644
index 00000000..49e0d333
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet aadFunc = (tableName:string){\nCommonSecurityLog\n| where DeviceVendor =~ \"Cisco\"\n| where DeviceAction =~ \"denied\"\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where SourceIPType == \"public\"\n| summarize count() by SourceIP\n| join (\n // Successful signins from IPs blocked by the firewall solution are suspect\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\n // as that supposes the password was sucessfully guessed.\n table(tableName)\n | where ResultType in (\"0\", \"50074\", \"50076\") \n) on $left.SourceIP == $right.IPAddress\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco - firewall block but success logon to Azure AD",
+ "enabled": false,
+ "description": "Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\nand could indicate credential compromise for the user account.",
+ "alertRuleTemplateName": "157c0cfc-d76d-463b-8755-c781608cdc1a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f855f089f54920eee727c5465e96e57d3109bebd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:10 +0000
Subject: [PATCH 085/375] Exported file: Cisco ASA - average attack detection
rate increase.json.json
---
...verage attack detection rate increase.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
new file mode 100644
index 00000000..1a3d96bd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeframe = 1h;\nlet last1h = CommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlet prev6h = CommonSecurityLog \n| where TimeGenerated between (ago(6h) .. ago(1h))\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlast1h | join (\n prev6h \n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - average attack detection rate increase",
+ "enabled": false,
+ "description": "This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "79f29feb-6a9d-4cdf-baaa-2daf480a5da1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2387e6cd418df4ab2ea9e99439366bae430babe1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:11 +0000
Subject: [PATCH 086/375] Exported file: Cisco ASA - threat detection message
fired.json.json
---
... ASA - threat detection message fired.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
new file mode 100644
index 00000000..be3f7747
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCommonSecurityLog \n| where isempty(CommunicationDirection) \n| where DeviceEventClassID in (\"733101\",\"733102\",\"733103\",\"733104\",\"733105\")\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - threat detection message fired",
+ "enabled": false,
+ "description": "Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "795edf2d-cf3e-45b5-8452-fe6c9e6a582e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 21c301294e27bdb04519a71d39969d1f10ae3046 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:11 +0000
Subject: [PATCH 087/375] Exported file: Cisco Umbrella - Connection to
Unpopular Website Detected.json.json
---
...nection to Unpopular Website Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
new file mode 100644
index 00000000..ada78069
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
+ "enabled": false,
+ "description": "Detects first connection to an unpopular website (possible malicious payload delivery).",
+ "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6b682195eb5a85246873e423ba5bf5458b6f006a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:12 +0000
Subject: [PATCH 088/375] Exported file: Cisco Umbrella - Connection to
non-corporate private network.json.json
---
...tion to non-corporate private network.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
new file mode 100644
index 00000000..a1810d0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to non-corporate private network",
+ "enabled": false,
+ "description": "IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.",
+ "alertRuleTemplateName": "c9b6d281-b96b-4763-b728-9a04b9fe1246"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2212c41e6d9ed93b4faa969a14244aebb31b47c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:13 +0000
Subject: [PATCH 089/375] Exported file: Cisco Umbrella - Crypto Miner
User-Agent Detected.json.json
---
...la - Crypto Miner User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
new file mode 100644
index 00000000..b77d766f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"XMRig\" or HttpUserAgentOriginal contains \"ccminer\"\n| extend Message = \"Crypto Miner User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Crypto Miner User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by crypto miners in proxy logs.",
+ "alertRuleTemplateName": "b619d1f1-7f39-4c7e-bf9e-afbb46457997"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 41b3aebb9fd1c0d811df0ef64b3a96f37984b575 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:14 +0000
Subject: [PATCH 090/375] Exported file: Cisco Umbrella - Empty User Agent
Detected.json.json
---
... Umbrella - Empty User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
new file mode 100644
index 00000000..970fe218
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal == ''\n| extend Message = \"Empty User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Empty User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "2b328487-162d-4034-b472-59f1d53684a1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3c4a89248e2d2960f6ffc1724a8f1c94eb0ba878 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:14 +0000
Subject: [PATCH 091/375] Exported file: Cisco Umbrella - Hack Tool User-Agent
Detected.json.json
---
...rella - Hack Tool User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
new file mode 100644
index 00000000..84affc5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nlet user_agents=dynamic([\n '(hydra)',\n ' arachni/',\n ' BFAC ',\n ' brutus ',\n ' cgichk ',\n 'core-project/1.0',\n ' crimscanner/',\n 'datacha0s',\n 'dirbuster',\n 'domino hunter',\n 'dotdotpwn',\n 'FHScan Core',\n 'floodgate',\n 'get-minimal',\n 'gootkit auto-rooter scanner',\n 'grendel-scan',\n ' inspath ',\n 'internet ninja',\n 'jaascois',\n ' zmeu ',\n 'masscan',\n ' metis ',\n 'morfeus fucking scanner',\n 'n-stealth',\n 'nsauditor',\n 'pmafind',\n 'security scan',\n 'springenwerk',\n 'teh forest lobster',\n 'toata dragostea',\n ' vega/',\n 'voideye',\n 'webshag',\n 'webvulnscan',\n ' whcc/',\n ' Havij',\n 'absinthe',\n 'bsqlbf',\n 'mysqloit',\n 'pangolin',\n 'sql power injector',\n 'sqlmap',\n 'sqlninja',\n 'uil2pn',\n 'ruler',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by known hack tools",
+ "alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 289c6a42eda0e48ec3cf47fddbc288a1d660d2e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:15 +0000
Subject: [PATCH 092/375] Exported file: Cisco Umbrella - Rare User Agent
Detected.json.json
---
...o Umbrella - Rare User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
new file mode 100644
index 00000000..d366425b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookBack = 14d;\nlet timeframe = 1d;\nlet user_agents_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\n| summarize count() by HttpUserAgentOriginal\n| summarize make_list(HttpUserAgentOriginal);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal !in (user_agents_list)\n| extend Message = \"Rare User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Rare User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "8c8de3fa-6425-4623-9cd9-45de1dd0569a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 79a0f3d24c516614717e98debdca16525eb68f57 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:16 +0000
Subject: [PATCH 093/375] Exported file: Cisco Umbrella - Request Allowed to
harmful_malicious URI category.json.json
---
...wed to harmful_malicious URI category.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
new file mode 100644
index 00000000..e6d0a858
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n UrlCategory contains 'Adware' or\n UrlCategory contains 'Alcohol' or\n UrlCategory contains 'Illegal Downloads' or\n UrlCategory contains 'Drugs' or\n UrlCategory contains 'Child Abuse Content' or\n UrlCategory contains 'Hate/Discrimination' or\n UrlCategory contains 'Nudity' or\n UrlCategory contains 'Pornography' or\n UrlCategory contains 'Proxy/Anonymizer' or\n UrlCategory contains 'Sexuality' or\n UrlCategory contains 'Tasteless' or\n UrlCategory contains 'Terrorism' or\n UrlCategory contains 'Web Spam' or\n UrlCategory contains 'German Youth Protection' or\n UrlCategory contains 'Illegal Activities' or\n UrlCategory contains 'Lingerie/Bikini' or\n UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
+ "enabled": false,
+ "description": "It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..",
+ "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 451877905ac6df924e61298df502f301799ac513 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:17 +0000
Subject: [PATCH 094/375] Exported file: Cisco Umbrella - Request to
blocklisted file type.json.json
---
...la - Request to blocklisted file type.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
new file mode 100644
index 00000000..fd09a950
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request to blocklisted file type",
+ "enabled": false,
+ "description": "Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).",
+ "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4deecfd962d6794ed300181b1445148502985686 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:18 +0000
Subject: [PATCH 095/375] Exported file: Cisco Umbrella - URI contains IP
address.json.json
---
...co Umbrella - URI contains IP address.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
new file mode 100644
index 00000000..6dbbecf9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlOriginal matches regex @'\\Ahttp:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - URI contains IP address",
+ "enabled": false,
+ "description": "Malware can use IP address to communicate with C2.",
+ "alertRuleTemplateName": "ee1818ec-5f65-4991-b711-bcf2ab7e36c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98da81ab3f632c1945e1fbd3116f85bbebd4c360 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:18 +0000
Subject: [PATCH 096/375] Exported file: Cisco Umbrella - Windows PowerShell
User-Agent Detected.json.json
---
...indows PowerShell User-Agent Detected.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
new file mode 100644
index 00000000..81fa4a71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"WindowsPowerShell\"\n| extend Message = \"Windows PowerShell User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Windows PowerShell User-Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "b12b3dab-d973-45af-b07e-e29bb34d8db9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2faafbc86dc84bb652ebea622ea648c1c295a6b2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:19 +0000
Subject: [PATCH 097/375] Exported file: ClientDeniedAccess.json.json
---
.../ClientDeniedAccess.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ClientDeniedAccess.json
diff --git a/SentinelExported-AnalyticsRule/ClientDeniedAccess.json b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
new file mode 100644
index 00000000..2f672e37
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ClientDeniedAccess",
+ "enabled": false,
+ "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
+ "alertRuleTemplateName": "a9956d3a-07a9-44a6-a279-081a85020cae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 997f9d9c1caccd0262a3d98739943c376cb143c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:20 +0000
Subject: [PATCH 098/375] Exported file: Cognni Incidents for Highly Sensitive
Business Information.json.json
---
...Highly Sensitive Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
new file mode 100644
index 00000000..517e9271
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Business Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "44e80f00-b4f5-486b-a57d-4073746276df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c1ccbcd2a6e366f48a3dff82fc250b8741ca5c8f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:21 +0000
Subject: [PATCH 099/375] Exported file: Cognni Incidents for Highly Sensitive
Financial Information.json.json
---
...ighly Sensitive Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
new file mode 100644
index 00000000..7fe66651
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "7ebb7386-6c99-4331-aab1-a185a603eb47"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 002c2c6265dc3d10cf9e3fb278ae82432f9bc2a9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:22 +0000
Subject: [PATCH 100/375] Exported file: Cognni Incidents for Highly Sensitive
Governance Information.json.json
---
...ghly Sensitive Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
new file mode 100644
index 00000000..aa613d21
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2926ce29-08d2-4654-b2e8-7d8df70095d9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a80981d4369d327b5b62cf3ddc9f7b309849f6e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:22 +0000
Subject: [PATCH 101/375] Exported file: Cognni Incidents for Highly Sensitive
HR Information.json.json
---
...s for Highly Sensitive HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
new file mode 100644
index 00000000..d1fe6ab3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive HR Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "f68846cf-ec99-497d-9ce1-80a9441564fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From daaf7287e644e5d82afb683af43c6080b5efad64 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:23 +0000
Subject: [PATCH 102/375] Exported file: Cognni Incidents for Highly Sensitive
Legal Information.json.json
---
...or Highly Sensitive Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
new file mode 100644
index 00000000..a5f7c589
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "4f45f43b-3a4b-491b-9cbe-d649603384aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8cc3abf081fb1d8d9d75bae740b10b891c62f09c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:24 +0000
Subject: [PATCH 103/375] Exported file: Cognni Incidents for Low Sensitivity
Business Information.json.json
---
... Low Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
new file mode 100644
index 00000000..88334c0e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity business information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "a0647a60-16f9-4175-b344-5cdd2934413f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cbd602d989471310c4edb21554f30d0ceab84f0b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:25 +0000
Subject: [PATCH 104/375] Exported file: Cognni Incidents for Low Sensitivity
Financial Information.json.json
---
...Low Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
new file mode 100644
index 00000000..fdb269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c2516c51ffd7ff4d1c2deb375d1b42af885e55cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:26 +0000
Subject: [PATCH 105/375] Exported file: Cognni Incidents for Low Sensitivity
Governance Information.json.json
---
...ow Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
new file mode 100644
index 00000000..d73c7c4e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity governance information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d2e40c79-fe8c-428e-8cb9-0e2282d4558c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5891bc0a8dc418c580d83792049ad5dc573c1dfb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:27 +0000
Subject: [PATCH 106/375] Exported file: Cognni Incidents for Low Sensitivity
HR Information.json.json
---
...ts for Low Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
new file mode 100644
index 00000000..0eb51774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "ef8654b1-b2cf-4f6c-ae5c-eca635a764e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8843ea939cb21812b759f8e2d92e5a6eee392e07 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:27 +0000
Subject: [PATCH 107/375] Exported file: Cognni Incidents for Low Sensitivity
Legal Information.json.json
---
...for Low Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
new file mode 100644
index 00000000..afb2cb58
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "8374ec0f-d857-4c17-b1e7-93d11800f8fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f1343594af31410f4500b56090118a15e36e80c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:28 +0000
Subject: [PATCH 108/375] Exported file: Cognni Incidents for Medium
Sensitivity Business Information.json.json
---
...dium Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
new file mode 100644
index 00000000..6f89ae17
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79061028-980a-4760-881b-52e79c1015c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79061028-980a-4760-881b-52e79c1015c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2c286288-3756-4824-b599-d3c499836c11"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 42166099d7211bc294cea8a166b2a02a3d074ebd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:29 +0000
Subject: [PATCH 109/375] Exported file: Cognni Incidents for Medium
Sensitivity Financial Information.json.json
---
...ium Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
new file mode 100644
index 00000000..d4dd28c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b4049fc9e96eaade0f15286092e6b0d09a4be905 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:30 +0000
Subject: [PATCH 110/375] Exported file: Cognni Incidents for Medium
Sensitivity Governance Information.json.json
---
...um Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
new file mode 100644
index 00000000..2d01b1d4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet goverence = 'Goverence Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == goverence\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "c1d4a005-e220-4d06-9e53-7326a22b8fe4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ac0b9fa8e47aa0d45b025acf75dc2f78f4dba893 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:31 +0000
Subject: [PATCH 111/375] Exported file: Cognni Incidents for Medium
Sensitivity HR Information.json.json
---
...for Medium Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
new file mode 100644
index 00000000..d70dd2e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "75ff4f7d-0564-4a55-8b25-a75be951cde3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 79cd129257b568cded522b7245dfc7e422cd89ce Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:31 +0000
Subject: [PATCH 112/375] Exported file: Cognni Incidents for Medium
Sensitivity Legal Information.json.json
---
... Medium Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
new file mode 100644
index 00000000..18f5dc60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "db750607-d48f-4aef-b238-085f4a9882f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 297c204b553cac09d0a707fbd86ce8a712f37508 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:32 +0000
Subject: [PATCH 113/375] Exported file: CoreBackUp Deletion in correlation
with other related security alerts.json.json
---
...on with other related security alerts.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
diff --git a/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
new file mode 100644
index 00000000..5c93e8a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityAlert\n| extend Extprop = parse_json(ExtendedProperties)\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\"Compromised Host\"]))), toupper(tostring(Extprop[\"Compromised Host\"])), tostring(parse_json(Entities)[0].HostName))\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\"User Name\"]))), tolower(tostring(Extprop[\"User Name\"])), tolower(tostring(Extprop[\"user name\"])))\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\"IpAddress\"]) \n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\n| join kind=inner\n(\nCoreAzureBackup\n| where State =~ \"Deleted\"\n| where OperationName =~ \"BackupItem\"\n| extend data = split(BackupItemUniqueId, \";\")\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\n)\non MachineName\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "CoreBackUp Deletion in correlation with other related security alerts",
+ "enabled": false,
+ "description": "This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.",
+ "alertRuleTemplateName": "011c84d8-85f0-4370-b864-24c13455aa94"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 67ffff67e48a7cbe034841ca1c5fd4d9733776d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:33 +0000
Subject: [PATCH 114/375] Exported file: Correlate Unfamiliar sign-in
properties and atypical travel alerts.json.json
---
...properties and atypical travel alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
diff --git a/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
new file mode 100644
index 00000000..bf47e8ba
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let Alert1 = \nSecurityAlert\n| where AlertName == \"Unfamiliar sign-in properties\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert1Time = TimeGenerated\n| extend Alert1 = AlertName\n| extend Alert1Severity = AlertSeverity\n;\nlet Alert2 = \nSecurityAlert\n| where AlertName == \"Atypical travel\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert2Time = TimeGenerated\n| extend Alert2 = AlertName\n| extend Alert2Severity = AlertSeverity\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\n;\nAlert1\n| join kind=inner Alert2 on UserPrincipalName\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\n| extend TimeDelta = Alert1Time - Alert2Time\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\n| extend AccountCustomEntity = UserPrincipalName\n| extend IPCustomEntity = CurrentIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Correlate Unfamiliar sign-in properties and atypical travel alerts",
+ "enabled": false,
+ "description": "The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.",
+ "alertRuleTemplateName": "a3df4a32-4805-4c6d-8699-f3c888af2f67"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b386817c0c4105f8a897c16d73327b3b9f6ef72e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:34 +0000
Subject: [PATCH 115/375] Exported file: Create Incident for XDR Alerts
(Critical & High).json.json
---
...dent for XDR Alerts (Critical & High).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
new file mode 100644
index 00000000..6e26ee7c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Critical & High)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical & High Serverity Alerts)",
+ "alertRuleTemplateName": "0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da829acdd19e622ed5c9ac0f2d711e0437fc1200 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:34 +0000
Subject: [PATCH 116/375] Exported file: Create Incident for XDR Alerts (Medium
& Low).json.json
---
...ncident for XDR Alerts (Medium & Low).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
new file mode 100644
index 00000000..912fc84b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Medium & Low)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium & Low Serverity Alerts)",
+ "alertRuleTemplateName": "00282588-11e7-436d-90e8-011256c3c691"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d35d9a88e72ea83e0006004e8024cb74e41e116c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:35 +0000
Subject: [PATCH 117/375] Exported file: Creation of expensive computes in
Azure.json.json
---
...eation of expensive computes in Azure.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
new file mode 100644
index 00000000..f4c5db53
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Low",
+ "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Creation of expensive computes in Azure",
+ "enabled": false,
+ "description": "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions",
+ "alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e25e264be81c9f95389e68934a245991cb3d8a61 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:36 +0000
Subject: [PATCH 118/375] Exported file: Credential added after admin consented
to Application.json.json
---
... after admin consented to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
diff --git a/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
new file mode 100644
index 00000000..c2f0b7c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetResourceType = tostring(target.type)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend isAdminConsent = targetModifiedProp[0].newValue\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\n| extend Consent_Permissions = targetModifiedProp[4].newValue\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\n| extend UpdatedProperties = targetModifiedProp[1].newValue\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent > TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Credential added after admin consented to Application",
+ "enabled": false,
+ "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
+ "alertRuleTemplateName": "707494a5-8e44-486b-90f8-155d1797a8eb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8702739bb6dcbc63ee97b117f85a431186f270c5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:37 +0000
Subject: [PATCH 119/375] Exported file: Critical Threat Detected.json.json
---
.../Critical Threat Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Critical Threat Detected.json
diff --git a/SentinelExported-AnalyticsRule/Critical Threat Detected.json b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
new file mode 100644
index 00000000..4a9bdb5e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Critical Threat Detected",
+ "enabled": false,
+ "description": "This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.",
+ "alertRuleTemplateName": "2ca4e7fc-c61a-49e5-9736-5da8035c47e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3de792711bbf9b8683ff8b34510cc9753940eea3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:38 +0000
Subject: [PATCH 120/375] Exported file: DEV-0322 Serv-U related IOCs - July
2021.json.json
---
...-0322 Serv-U related IOCs - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
new file mode 100644
index 00000000..ba92a046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet parentprocess = (iocs | where Type =~ \"parentprocess\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (IPList), \"RequestUrl\",\"NoMatch\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, IPMatch == \"RequestUrl\", RequestURL, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = 'Dev-0322 IOC match'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where SourceHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = 'Dev-0322 IOC match'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ParentImage = EventDetail.[20].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceProcessEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\n),\n( SecurityEvent\n| where EventID == 4688\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "DEV-0322 Serv-U related IOCs - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.",
+ "alertRuleTemplateName": "4759ddb4-2daf-43cb-b34e-d85b85b4e4a5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a7510f87da8cb57a7073b5dea5335dfc0e469752 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:38 +0000
Subject: [PATCH 121/375] Exported file: DNS events related to ToR proxies
(Normalized DNS).json.json
---
...lated to ToR proxies (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
new file mode 100644
index 00000000..c67b1c6b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let torProxies=dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nimDns(domain_has_any=torProxies)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "3fe3c520-04f1-44b8-8398-782ed21435f8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2677e86ef631d8fce3b2d166a8fd7eb5fd7df2d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:39 +0000
Subject: [PATCH 122/375] Exported file: DNS events related to ToR
proxies.json.json
---
.../DNS events related to ToR proxies.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
new file mode 100644
index 00000000..dce92719
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.",
+ "alertRuleTemplateName": "a83ef0f4-dace-4767-bce3-ebd32599d2a0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2e83ebb9ae09b9468747d57db109c296e6c00547 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:40 +0000
Subject: [PATCH 123/375] Exported file: DNS events related to mining pools
(Normalized DNS).json.json
---
...ated to mining pools (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
new file mode 100644
index 00000000..e374d5a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let minersDomains=dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\"]);\nimDns(domain_has_any=minersDomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c094384d-7ea7-4091-83be-18706ecca981"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fb9ddd76e50f0300e1ce5c63e351cfd90188205e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:41 +0000
Subject: [PATCH 124/375] Exported file: DNS events related to mining
pools.json.json
---
.../DNS events related to mining pools.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools.json b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
new file mode 100644
index 00000000..09a469a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.",
+ "alertRuleTemplateName": "0d76e9cf-788d-4a69-ac7d-f234826b5bed"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9fd10794c2f2a1cc6fd726d83eb1711f8f97b005 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:42 +0000
Subject: [PATCH 125/375] Exported file: Detect PIM Alert Disabling
activity.json.json
---
.../Detect PIM Alert Disabling activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
diff --git a/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
new file mode 100644
index 00000000..9628cbd3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Detect PIM Alert Disabling activity",
+ "enabled": false,
+ "description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
+ "alertRuleTemplateName": "1f3b4dfd-21ff-4ed3-8e27-afc219e05c50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2b2c9325e7d26b8febf0f1f9883dd5495a567d6a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:42 +0000
Subject: [PATCH 126/375] Exported file: Dev-0228 File Path Hashes November
2021 - ASIM.json.json
---
...File Path Hashes November 2021 - ASIM.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
new file mode 100644
index 00000000..46c7c8c6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nimFileEvent\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\n// Increase risk score if recent alerts for the host\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021 - ASIM",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization",
+ "alertRuleTemplateName": "29a29e5d-354e-4f5e-8321-8b39d25047bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cece38b6106ec8025e33d922867abf62e4db54d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:43 +0000
Subject: [PATCH 127/375] Exported file: Dev-0228 File Path Hashes November
2021.json.json
---
...v-0228 File Path Hashes November 2021.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
new file mode 100644
index 00000000..55d5f3f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nDeviceProcessEvents\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\n| extend DvcId = DeviceId\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.",
+ "alertRuleTemplateName": "3b443f22-9be9-4c35-ac70-a94757748439"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 380480b20bedcb4290e410509a5a4aa3fa22fc71 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:44 +0000
Subject: [PATCH 128/375] Exported file: Distributed Password cracking attempts
in AzureAD.json.json
---
...Password cracking attempts in AzureAD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
new file mode 100644
index 00000000..ce24093f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\n| distinct *\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Distributed Password cracking attempts in AzureAD",
+ "enabled": false,
+ "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.",
+ "alertRuleTemplateName": "bfb1c90f-8006-4325-98be-c7fffbc254d6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5fc94b84d2fa49e13416e0a28b9ddc463302cb00 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:45 +0000
Subject: [PATCH 129/375] Exported file: Duplicate Rule DisplayName 1
(1).json.json
---
.../Duplicate Rule DisplayName 1 (1).json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
new file mode 100644
index 00000000..ff5257a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CampaignInfo",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71658fcc314f0049b6b4f466a2bc01af002d3756 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:45 +0000
Subject: [PATCH 130/375] Exported file: Duplicate Rule DisplayName 1.json.json
---
.../Duplicate Rule DisplayName 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
new file mode 100644
index 00000000..75316020
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "Duplicate Rule DisplayName 1",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 45fc83ab12c0547a819fa090389235d2a4e53a31 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:46 +0000
Subject: [PATCH 131/375] Exported file: Email access via active sync.json.json
---
.../Email access via active sync.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Email access via active sync.json
diff --git a/SentinelExported-AnalyticsRule/Email access via active sync.json b/SentinelExported-AnalyticsRule/Email access via active sync.json
new file mode 100644
index 00000000..2f367c0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Email access via active sync.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet cmdList = dynamic([\"Set-CASMailbox\",\"ActiveSyncAllowedDeviceIDs\",\"add\"]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessCommandLine has_all (cmdList)\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| extend Type = strcat(Type, \": \", Source)\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Email access via active sync",
+ "enabled": false,
+ "description": "This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\n- Note that this query can be changed to use the KQL \"has_all\" operator, which hasn't yet been documented officially, but will be soon.\n In short, \"has_all\" will only match when the referenced field has all strings in the list.\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps",
+ "alertRuleTemplateName": "2f561e20-d97b-4b13-b02d-18b34af6e87c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8c92b0d5ca02ab0af43164510d41f41bf4c1e433 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:47 +0000
Subject: [PATCH 132/375] Exported file: Excessive Amount of Denied Connections
from a Single Source.json.json
---
...nied Connections from a Single Source.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
new file mode 100644
index 00000000..5a4748f5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5000;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\" and Status =~ \"Deny\"\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Amount of Denied Connections from a Single Source",
+ "enabled": false,
+ "description": "This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.",
+ "alertRuleTemplateName": "3d645a88-2724-41a7-adea-db74c439cf79"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d167d23169bdcb00e8eca294403188f6269d76ee Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:48 +0000
Subject: [PATCH 133/375] Exported file: Excessive Denied Proxy
Traffic.json.json
---
.../Excessive Denied Proxy Traffic.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
new file mode 100644
index 00000000..7ff20617
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 100;\nSymantecProxySG \n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Denied Proxy Traffic",
+ "enabled": false,
+ "description": "This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.",
+ "alertRuleTemplateName": "7a58b253-0ef2-4248-b4e5-c350f15a8346"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 65ed46b53181f24340ace860b8bd48615149f6d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:48 +0000
Subject: [PATCH 134/375] Exported file: Excessive Failed Authentication from
Invalid Inputs.json.json
---
...ed Authentication from Invalid Inputs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
new file mode 100644
index 00000000..d8b18864
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Failed Authentication from Invalid Inputs",
+ "enabled": false,
+ "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
+ "alertRuleTemplateName": "c775a46b-21b1-46d7-afa6-37e3e577a27b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bf43038dde079f759637a3df59af09ff5d87f851 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:49 +0000
Subject: [PATCH 135/375] Exported file: Excessive NXDOMAIN DNS Queries
(Normalized DNS).json.json
---
...NXDOMAIN DNS Queries (Normalized DNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
new file mode 100644
index 00000000..642acc92
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 200;\nimDns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (imDns(responsecodename='NXDOMAIN')\n ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries (Normalized DNS)",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f11018d86396ee163bc2447ec9f4b0bac3129eb1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:50 +0000
Subject: [PATCH 136/375] Exported file: Excessive NXDOMAIN DNS
Queries.json.json
---
.../Excessive NXDOMAIN DNS Queries.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
new file mode 100644
index 00000000..8a17da24
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 200;\nInfobloxNIOS\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n | where isnotempty(ResponseCode)\n | where ResponseCode =~ \"NXDOMAIN\"\n ) on Client_IP\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.",
+ "alertRuleTemplateName": "b8266f81-2715-41a6-9062-42486cbc9c73"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ed01529121472937dc58e55d023ff59be2c68e83 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:51 +0000
Subject: [PATCH 137/375] Exported file: Excessive Windows logon
failures.json.json
---
.../Excessive Windows logon failures.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
new file mode 100644
index 00000000..9d2bb8c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 0.333;\nlet countlimit = 50;\nSecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4625 and AccountType =~ \"User\"\n| where IpAddress !in (\"127.0.0.1\", \"::1\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\n| join kind=leftouter (\n SecurityEvent \n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where EventID == 4625 and AccountType =~ \"User\"\n | where IpAddress !in (\"127.0.0.1\", \"::1\")\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| extend WorkstationName = iff(WorkstationName == \"-\" or isempty(WorkstationName), Computer , WorkstationName) \n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\n| order by sum_CountToday desc nulls last \n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Windows logon failures",
+ "enabled": false,
+ "description": "User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.",
+ "alertRuleTemplateName": "2391ce61-8c8d-41ac-9723-d945b2e90720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e28d581f1584d6bcb3f32a9fa607e63c24411d79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:52 +0000
Subject: [PATCH 138/375] Exported file: Excessive number of failed connections
from a single source (ASIM Network Session schema).json.json
---
... source (ASIM Network Session schema).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
diff --git a/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
new file mode 100644
index 00000000..1471296f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 5000;\nimNetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
+ "enabled": false,
+ "description": "This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "4902eddb-34f7-44a8-ac94-8486366e9494"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 081b9f788ae34138b6797168462b72a13dd5cd03 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:52 +0000
Subject: [PATCH 139/375] Exported file: Exchange AuditLog disabled.json.json
---
.../Exchange AuditLog disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
diff --git a/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
new file mode 100644
index 00000000..cfee7baa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where UserType in~ (\"Admin\",\"DcAdmin\") \n// Only admin or global-admin can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\" \n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Exchange AuditLog disabled",
+ "enabled": false,
+ "description": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt\nto evade detection or avoid other defenses.",
+ "alertRuleTemplateName": "194dd92e-d6e7-4249-85a5-273350a7f5ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bf2875a2990f9f2278ff96aa94522e1f41e49d5a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:53 +0000
Subject: [PATCH 140/375] Exported file: Exchange OAB Virtual Directory
Attribute Containing Potential Webshell.json.json
---
...tribute Containing Potential Webshell.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
diff --git a/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
new file mode 100644
index 00000000..0cb51c74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityEvent\n// Look for specific Directory Service Changes and parse data\n| where EventID == 5136\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion = array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\n// Where changes relate to Exchange OAB\n| extend ObjectClass = column_ifexists(\"ObjectClass\", \"\")\n| where ObjectClass =~ \"msExchOABVirtualDirectory\"\n// Look for InternalHostName or ExternalHostName properties being changed\n| extend AttributeLDAPDisplayName = column_ifexists(\"AttributeLDAPDisplayName\", \"\")\n| where AttributeLDAPDisplayName in (\"msExchExternalHostName\", \"msExchInternalHostName\")\n// Look for suspected webshell activity\n| extend AttributeValue = column_ifexists(\"AttributeValue\", \"\")\n| where AttributeValue has \"script\"\n| project-rename LastSeen = TimeGenerated\n| extend ObjectDN = column_ifexists(\"ObjectDN\", \"\")\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange OAB Virtual Directory Attribute Containing Potential Webshell",
+ "enabled": false,
+ "description": "This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns",
+ "alertRuleTemplateName": "faf1a6ff-53b5-4f92-8c55-4b20e9957594"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4cf25d3ac53e01627fa19a02414f468a16aa950 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:54 +0000
Subject: [PATCH 141/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection (1).json.json
---
...todiscover ProxyShell - Detection (1).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
new file mode 100644
index 00000000..f884c9ec
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9ee6e69f59d1b24a5f41513877aa35c82cec8112 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:55 +0000
Subject: [PATCH 142/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection.json.json
---
...F Autodiscover ProxyShell - Detection.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
new file mode 100644
index 00000000..54b461bc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "ResourceCustomEntity"
+ }
+ ]
+ }
+ ],
+ "templateVersion": "1.0.1",
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190"
+ ],
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": true,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 30f79348f7f66e136655686998a6ffd30d6c1bcc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:56 +0000
Subject: [PATCH 143/375] Exported file: Exchange Server Vulnerabilities
Disclosed March 2021 IoC Match.json.json
---
...lities Disclosed March 2021 IoC Match.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
diff --git a/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
new file mode 100644
index 00000000..d1e23e0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(VMConnection\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\n| where SourceIp in (ips) or DestinationIp in (ips)\n| extend IPMatch = case( SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nDeviceNetworkEvents\n| where (RemoteIPType =~ \"Public\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\nDnsEvents\n| where SubType =~ \"LookupQuery\"\n| where Name has_any (domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n),\n(\nimDns(domain_has_any=domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
+ "enabled": false,
+ "description": "This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/",
+ "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cb802eaee9dc9a665e55568e915d676e107c9fa9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:56 +0000
Subject: [PATCH 144/375] Exported file: Exchange workflow MailItemsAccessed
operation anomaly.json.json
---
...w MailItemsAccessed operation anomaly.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
new file mode 100644
index 00000000..1611fad8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, score;\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\n OfficeActivity\n | where TimeGenerated > ago(2d)\n | extend DateHour = bin(TimeGenerated, 1h)\n | where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\n | order by HourlyCount desc \n) on TimeGenerated\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\n| order by PercentofTotal desc \n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Exchange workflow MailItemsAccessed operation anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed",
+ "alertRuleTemplateName": "b4ceb583-4c44-4555-8ecf-39f572e827ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b2b443985c659584748d720dcc085edf489ab7e1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:57 +0000
Subject: [PATCH 145/375] Exported file: Explicit MFA Deny.json.json
---
.../Explicit MFA Deny.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Explicit MFA Deny.json
diff --git a/SentinelExported-AnalyticsRule/Explicit MFA Deny.json b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
new file mode 100644
index 00000000..441d5de3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Explicit MFA Deny",
+ "enabled": false,
+ "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
+ "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ec4b569fafab502296605151b1851b997e9e8bf3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:58 +0000
Subject: [PATCH 146/375] Exported file: External Upstream Source Added to
Azure DevOps Feed.json.json
---
...eam Source Added to Azure DevOps Feed.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
diff --git a/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
new file mode 100644
index 00000000..7091dc03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\nlet allowed_sources = dynamic([\"NuGet Gallery\"]);\nlet allowed_locations = dynamic([\"https://api.nuget.org/v3/index.json\"]);\nAzureDevOpsAuditing\n// Look for feeds created or modified at either the organization or project level\n| where OperationName matches regex \"Artifacts.Feed.(Org|Project).Modify\"\n| where Details has \"UpstreamSources, added\"\n| extend FeedName = tostring(Data.FeedName)\n| extend FeedId = tostring(Data.FeedId)\n| extend UpstreamsAdded = Data.UpstreamsAdded\n// As multiple feeds may be added expand these out\n| mv-expand UpstreamsAdded\n// Only focus on external feeds\n| where UpstreamsAdded.UpstreamSourceType !~ \"internal\"\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\n| extend SourceName = tostring(UpstreamsAdded.Name)\n// Exclude sources and locations in the allow list\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "External Upstream Source Added to Azure DevOps Feed",
+ "enabled": false,
+ "description": "The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.",
+ "alertRuleTemplateName": "adc32a33-1cd6-46f5-8801-e3ed8337885f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d975e827723668703da845af67e1e03097fb3bcb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:16:59 +0000
Subject: [PATCH 147/375] Exported file: External User Access Enabled.json.json
---
.../External User Access Enabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External User Access Enabled.json
diff --git a/SentinelExported-AnalyticsRule/External User Access Enabled.json b/SentinelExported-AnalyticsRule/External User Access Enabled.json
new file mode 100644
index 00000000..1d8faa74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External User Access Enabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nZoomLogs \n| where Event =~ \"account.settings_updated\" \n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\") \n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\", \n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\", \n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\", \n EnforceLoginDomain == 'false', \"Enfored Domains Changed\", \n GuestAlerts == 'false', \"Guest Join Alerts Changed\", \n EnforceLogin == 'false', \"Enforced Logins Changed\", \n \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External User Access Enabled",
+ "enabled": false,
+ "description": "This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.",
+ "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4134c559ef887092a1d82978d0ada603f1a7a4f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:00 +0000
Subject: [PATCH 148/375] Exported file: External guest invitations by default
guest followed by Azure AD powershell signin.json.json
---
...ollowed by Azure AD powershell signin.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
diff --git a/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
new file mode 100644
index 00000000..35faf84e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs \n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\",\"Invite external user with reset invitation status\")\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| where InitiatedByUser has_any (\"live.com#\", \"#EXT#\")\n| extend parsedUser = iff(InitiatedByUser has \"live.com#\", tostring(split(InitiatedByUser, \"#\")[1]),tostring(split(InitiatedByUser, \"#EXT#\")[1])) , InvitationTime = TimeGenerated\n| join ( \nSigninLogs \n| where UserType == \"Guest\" and AppDisplayName == \"Microsoft Azure PowerShell\"\n| extend SigninTime = TimeGenerated\n) on $left.parsedUser == $right.UserPrincipalName\n| project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName , IPAddress, UserType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess",
+ "Persistence",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "External guest invitations by default guest followed by Azure AD powershell signin",
+ "enabled": false,
+ "description": "By default guests have capability to invite more external guest user, who can do suspicious Azure AD enumeration. This detection will first look at guests \ninviting external guests users who are then logging via Azure AD powershell after accpeting invitation.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
+ "alertRuleTemplateName": "acc4c247-aaf7-494b-b5da-17f18863878a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2ff5f7792adf84373f447f9a8d8d6dbf1176b261 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:00 +0000
Subject: [PATCH 149/375] Exported file: External user added and removed in
short timeframe.json.json
---
... added and removed in short timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
diff --git a/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
new file mode 100644
index 00000000..faba53c0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n| join (\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberRemoved\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n) on UPN\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External user added and removed in short timeframe",
+ "enabled": false,
+ "description": "This detection flags the occurances of external user accounts that are added to a Team and then removed within\none hour.",
+ "alertRuleTemplateName": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ad0d358a910ce04bfe112899ef6964a389077215 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:01 +0000
Subject: [PATCH 150/375] Exported file: Failed AWS Console logons but success
logon to AzureAD.json.json
---
...e logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
new file mode 100644
index 00000000..9181a3df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where EventName == \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize count() by SourceIpAddress\n| where count_ > signin_threshold\n| summarize make_list(SourceIpAddress);\n//See if any of those IPs have sucessfully logged into Azure AD.\nSigninLogs\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails) \n| extend Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AWS Console logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "910124df-913c-47e3-a7cd-29e1643fa55e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2f0cf512d584c49ef70030e1f9c93a4c26e30b0e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:02 +0000
Subject: [PATCH 151/375] Exported file: Failed AzureAD logons but success
logon to AWS Console, test-6_30_2022.json.json
---
... logon to AWS Console, test-6_30_2022.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
new file mode 100644
index 00000000..a21c7140
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit your environment\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold\nlet aadFunc = (tableName:string){\nlet Suspicious_signins = \ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in (\"127.0.0.1\", \"::1\")\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\nSuspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet Suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into the AWS console\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult =~ \"Success\"\n| where SourceIpAddress in (Suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to AWS Console, test-6/30/2022",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "643c2025-9604-47c5-833f-7b4b9378a1f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3e788654dd433ee98775b5bf1d75130f32b196f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:03 +0000
Subject: [PATCH 152/375] Exported file: Failed AzureAD logons but success
logon to host.json.json
---
...reAD logons but success logon to host.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
new file mode 100644
index 00000000..ea33b6f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit the environment\nlet signin_threshold = 5;\n//Make a list of all IPs with failed signins to AAD above our threshold\nlet aadFunc = (tableName:string){\nlet suspicious_signins =\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in ('127.0.0.1', '::1')\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\n//See if any of these IPs have sucessfully logged into *nix hosts\nlet linux_logons =\nSyslog\n| where Facility contains \"auth\" and ProcessName != \"sudo\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\n//See if any of these IPs have sucessfully logged into Windows hosts\nlet win_logons =\nSecurityEvent\n| where EventID == 4624\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| where IpAddress in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\nunion isfuzzy=true linux_logons,win_logons\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to host",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "8ee967a2-a645-4832-85f4-72b635bcb3a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fc5b4fa22e0182333c4ff6d90010c465407490bd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:03 +0000
Subject: [PATCH 153/375] Exported file: Failed Logins from Unknown or Invalid
User.json.json
---
...d Logins from Unknown or Invalid User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
diff --git a/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
new file mode 100644
index 00000000..bb0c0a75
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed Logins from Unknown or Invalid User",
+ "enabled": false,
+ "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name",
+ "alertRuleTemplateName": "884be6e7-e568-418e-9c12-89229865ffde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d7b7d05259bd72056cd57f58c830779ba47e826c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:04 +0000
Subject: [PATCH 154/375] Exported file: Failed host logons but success logon
to AzureAD.json.json
---
...t logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
new file mode 100644
index 00000000..d6444aad
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed Windows host logins above threshold\nlet win_fails = \nSecurityEvent\n| where EventID == 4625\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| summarize count() by IpAddress\n| where count_ > signin_threshold\n| summarize make_list(IpAddress);\n//Make a list of IPs with failed *nix host logins above threshold\nlet nix_fails = \nSyslog\n| where Facility contains 'auth' and ProcessName != 'sudo'\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP != \"\" and SourceIP != \"127.0.0.1\"\n| summarize count() by SourceIP\n| where count_ > signin_threshold\n| summarize make_list(SourceIP);\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\n| extend Reason= \"Multiple failed host logins from IP address with successful Azure AD login\"\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed host logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "1ce5e766-26ab-4616-b7c8-3b33ae321e80"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7654a0952594a4871d66254960cd3002212127ae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:05 +0000
Subject: [PATCH 155/375] Exported file: Failed login attempts to Azure
Portal.json.json
---
...Failed login attempts to Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
new file mode 100644
index 00000000..8746e489
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins \n) on UserPrincipalName, Id\n| where TimeGenerated > TimeGenerated1\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup \n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed login attempts to Azure Portal",
+ "enabled": false,
+ "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+ "alertRuleTemplateName": "223db5c1-1bf8-47d8-8806-bed401b356a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3ac72a1237a06f429397a0bb78d7a9b179941671 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:06 +0000
Subject: [PATCH 156/375] Exported file: Failed logon attempts by valid
accounts within 10 mins.json.json
---
...mpts by valid accounts within 10 mins.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
new file mode 100644
index 00000000..51f35ef7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let threshold = 20;\nSecurityEvent \n| where EventID == 4625\n| where AccountType =~ \"User\"\n| where SubStatus !='0xc0000064' and Account !in ('\\\\', '-\\\\-')\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\n| extend ResourceId = column_ifexists(\"_ResourceId\", _ResourceId), SourceComputerId = column_ifexists(\"SourceComputerId\", SourceComputerId)\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\n| where FailedLogonCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts by valid accounts within 10 mins",
+ "enabled": false,
+ "description": "Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.",
+ "alertRuleTemplateName": "0777f138-e5d8-4eab-bec1-e11ddfbc2be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f451051fd90c030cb3898dd15be9022f7eba90f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:07 +0000
Subject: [PATCH 157/375] Exported file: Failed logon attempts in
authpriv.json.json
---
.../Failed logon attempts in authpriv.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
new file mode 100644
index 00000000..b0cdc9f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nlet authfail = Syslog\n| where Facility =~ \"authpriv\" // looks at authpriv messages\n| where SyslogMessage contains \"authentication failure\" and SyslogMessage contains \" uid=0\"\n| parse SyslogMessage with * \"rhost=\" ExternalIP\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \nlet userfail = Syslog \n| where Facility =~ \"authpriv\" \n| where SyslogMessage contains \"user unknown\"\n| project TimeGenerated, Computer, HostIP, ProcessID;\n// Join the two log messages above\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\n// Extract the EventTime of the first logon attempt\nlet firstfail = userauthfail\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\n// Extract the EventTime of the last logon attempt\nlet lastfail = userauthfail\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\n// Count the number of failed logon attempts by External IP and internal machine\nlet totalfails = userauthfail\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\n// Combine total attempts with timing data from above\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\n| order by DestinationHost asc nulls last;\nfinalfails \n| where TotalLogonAttempts >= threshold\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts in authpriv",
+ "enabled": false,
+ "description": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.",
+ "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 490076a7664223adce2f3d09c75905cb7b21774b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:07 +0000
Subject: [PATCH 158/375] Exported file: First access credential added to
Application or Service Principal where no credential was present.json.json
---
...cipal where no credential was present.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
diff --git a/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
new file mode 100644
index 00000000..b6d69ff1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set == \"[]\"\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "First access credential added to Application or Service Principal where no credential was present",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 67e549e63c1b62490961fb95fa3eccc6b5a68c29 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:08 +0000
Subject: [PATCH 159/375] Exported file: Fortinet - Beacon pattern
detected.json.json
---
.../Fortinet - Beacon pattern detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
diff --git a/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
new file mode 100644
index 00000000..ec5ccc3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 1d;\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\nlet PrivateIPregex = @\"^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.\"; // exclude destinations that fall into this category\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where TimeGenerated > ago(starttime)\n// eliminate bad data\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \"0.0.0.0\"\n// filter out deny, close, rst and SNMP to reduce data volume\n| where DeviceAction !in (\"close\", \"client-rst\", \"server-rst\", \"deny\") and DestinationPort != 161\n// map input fields\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// where destination IPs are public\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n// sort into source->destination 'sessions'\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\n| serialize\n// time diff the contact times between source and destination to get a list of deltas\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\n| extend TimeDeltainSeconds = datetime_diff(\"second\",nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\n// remove small time deltas below the set threshold\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// summarize the deltas by source->destination\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\n// expand the deltas and the outliers\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\n// replace outliers with the average of the distribution\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\n// summarize with the smoothed distribution\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\n// get stats on the smoothed distribution\n| extend series_stats(list_TimeDeltainSeconds_normalized)\n// match jitter tolerance on smoothed distrib\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\n// where the minimum beacon threshold is satisfied and there was some data transfer\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\n// final projection\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Fortinet - Beacon pattern detected",
+ "enabled": false,
+ "description": "Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\n detection is set to 4.\n Increase the lookback period to capture beacons with larger periodicities.\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\n automatically using series_outliers.\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.",
+ "alertRuleTemplateName": "3255ec41-6bd6-4f35-84b1-c032b18bbfcb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 659b57f434bcbb65b761490067fd378ff63f9773 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:09 +0000
Subject: [PATCH 160/375] Exported file: Full Admin policy created and then
attached to Roles, Users or Groups.json.json
---
...en attached to Roles, Users or Groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
diff --git a/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
new file mode 100644
index 00000000..daa33fc5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\nlet createPolicy = \"CreatePolicy\";\nlet timeframe = 1d;\nlet lookback = 14d;\n// Creating Master table with all the events to use with materialize for better performance\nlet EventInfo = AWSCloudTrail\n| where TimeGenerated >= ago(lookback)\n| where EventName in (EventNameList) or EventName == createPolicy;\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\nlet FullAdminPolicyEvents = materialize( EventInfo\n| where TimeGenerated >= ago(lookback)\n| where EventName == createPolicy\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n| mvexpand Statement\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\n| mvexpand Action\n| extend Action = tostring(Action)\n| where Effect =~ \"Allow\" and Action == \"*\" and Resource == \"*\"\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| project-rename StartTime = TimeGenerated );\nlet PolicyAttach = materialize( EventInfo\n| where TimeGenerated >= ago(timeframe)\n| where EventName in (EventNameList)\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\n| extend AttachEvent = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, \"UserIdentityType\", UserIdentityType, \"UserIdentityArn\", UserIdentityArn, \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\n);\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\nFullAdminPolicyEvents\n| join kind=leftouter\n(\n PolicyAttach\n)\non PolicyName\n| project-away PolicyName1\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Full Admin policy created and then attached to Roles, Users or Groups",
+ "enabled": false,
+ "description": "Identity and Access Management (IAM) securely manages access to AWS services and resources. \nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "826bb2f8-7894-4785-9a6b-a8a855d8366f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7908cd7b9b4fada6beed4f7d92c9e036b8da8a4a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:10 +0000
Subject: [PATCH 161/375] Exported file: Gain Code Execution on ADFS Server via
Remote WMI Execution.json.json
---
... ADFS Server via Remote WMI Execution.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
new file mode 100644
index 00000000..533e89ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n| union isfuzzy=true (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n| distinct Computer);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| where CommandLine has_any ('rundll32') \n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 and LogonType == 3\n| where Account !endswith \"$\"\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n// Check for WMI Events\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| project TimeGenerated, EventType, Image, Computer, UserName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via Remote WMI Execution",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\n Failed to resolve scalar expression named \"[@Name]\"\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml",
+ "alertRuleTemplateName": "0bd65651-1404-438b-8f63-eecddcec87b4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0ae9e22586b2c926f377033eb3f1c5fb0ed4e6d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:11 +0000
Subject: [PATCH 162/375] Exported file: Gain Code Execution on ADFS Server via
SMB + Remote Service or Scheduled Task.json.json
---
...MB + Remote Service or Scheduled Task.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
new file mode 100644
index 00000000..dd9c9768
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where Account !endswith \"$\"\n// Check for scheduled task events\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\n| extend EventDataParsed = parse_xml(EventData)\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\"#text\"])\n// Check specifically for access to IPC$ share and PIPE\\svcctl and PIPE\\atsvc for Service Control Services and Schedule Control Services\n| union ( \n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n | where Account !endswith \"$\"\n | where EventID == 5145\n | where RelativeTargetName =~ \"svcctl\" or RelativeTargetName =~ \"atsvc\"\n)\n// Check for lateral movement\n| join kind=inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Account !endswith \"$\"\n| where EventID == 4624 and LogonType == 3\n) on $left.SubjectLogonId == $right.TargetLogonId\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.",
+ "alertRuleTemplateName": "12dcea64-bec2-41c9-9df2-9f28461b1295"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c5758bf3562e8a02a4ca478d27f6b061b491762d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:12 +0000
Subject: [PATCH 163/375] Exported file: GitHub Activites from a New
Country.json.json
---
.../GitHub Activites from a New Country.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
new file mode 100644
index 00000000..39ec52a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAudit\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Activites from a New Country",
+ "enabled": false,
+ "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.",
+ "alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 39e7136d8b835f26e1cbd93aaa1d71d6d4d8940b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:12 +0000
Subject: [PATCH 164/375] Exported file: GitHub Security Vulnerability in
Repository.json.json
---
... Security Vulnerability in Repository.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
new file mode 100644
index 00000000..f3242ab7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1e944163-f959-46f8-9760-95a54652437b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1e944163-f959-46f8-9760-95a54652437b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Informational",
+ "query": "\nGitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "GitHub Security Vulnerability in Repository",
+ "enabled": false,
+ "description": "This alerts when there is a new security vulnerability in a GitHub repository.",
+ "alertRuleTemplateName": "5436f471-b03d-41cb-b333-65891f887c43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fefa46efd8bc4288a2da3a1dd098c9ab2e5f3e8f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:13 +0000
Subject: [PATCH 165/375] Exported file: GitHub Signin Burst from Multiple
Locations.json.json
---
... Signin Burst from Multiple Locations.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
new file mode 100644
index 00000000..2425d232
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName == \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > 1\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Signin Burst from Multiple Locations",
+ "enabled": false,
+ "description": "This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).",
+ "alertRuleTemplateName": "d3980830-dd9d-40a5-911f-76b44dfdce16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71534b59a17d55fbd5592e69905d756f3f73bfc7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:14 +0000
Subject: [PATCH 166/375] Exported file: GitHub Two Factor Auth
Disable.json.json
---
.../GitHub Two Factor Auth Disable.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
new file mode 100644
index 00000000..f8a9e188
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nGitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Two Factor Auth Disable",
+ "enabled": false,
+ "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ",
+ "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2d75dbc4a3a010f9affbd71eeeceb10c483eeda4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:15 +0000
Subject: [PATCH 167/375] Exported file: Group created then added to built in
domain local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
new file mode 100644
index 00000000..c85532e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet GroupAddition = SecurityEvent \n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group \n| where EventID in (\"4728\", \"4732\", \"4756\") \n| where AccountType =~ \"User\" and MemberName == \"-\"\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\nlet GroupCreated = SecurityEvent\n// 4727 - A security-enabled global group was created\n// 4731 - A security-enabled local group was created\n// 4754 - A security-enabled universal group was created\n| where EventID in (\"4727\", \"4731\", \"4754\")\n| where AccountType =~ \"User\"\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\nGroupCreated\n| join (\nGroupAddition\n) on GroupSid \n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Group created then added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.",
+ "alertRuleTemplateName": "a7564d76-ec6b-4519-a66b-fcc80c42332b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c15fdc3fe25bcedb9e37e0e496805bdc70e21f5e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:15 +0000
Subject: [PATCH 168/375] Exported file: HAFNIUM New UM Service Child
Process.json.json
---
.../HAFNIUM New UM Service Child Process.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
new file mode 100644
index 00000000..41dbee52
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM New UM Service Child Process",
+ "enabled": false,
+ "description": "This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8191186d2fc69ed7d9bc7642b8d82dd881b9e6a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:16 +0000
Subject: [PATCH 169/375] Exported file: HAFNIUM Suspicious Exchange
Request.json.json
---
.../HAFNIUM Suspicious Exchange Request.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
new file mode 100644
index 00000000..ada898a7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let exchange_servers = (\nW3CIISLog\n| where TimeGenerated > ago(14d)\n| where sSiteName =~ \"Exchange Back End\"\n| summarize by Computer);\nW3CIISLog\n| where TimeGenerated > ago(1d)\n| where Computer in (exchange_servers)\n| where csUriQuery startswith \"t=\"\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious Exchange Request",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "23005e87-2d3a-482b-b03d-edbebd1ae151"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3c808edd068a0960567b574e34eed5c302795abb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:17 +0000
Subject: [PATCH 170/375] Exported file: HAFNIUM Suspicious File
Downloads_.json.json
---
.../HAFNIUM Suspicious File Downloads_.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
new file mode 100644
index 00000000..cbeb0997
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious File Downloads.",
+ "enabled": false,
+ "description": "This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "03e04c97-8cae-48b3-9d2f-4ab262e4ffff"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 123dfa1c7d226fe9b996ff8c83daf2d33f506de7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:18 +0000
Subject: [PATCH 171/375] Exported file: HAFNIUM Suspicious UM Service
Error.json.json
---
.../HAFNIUM Suspicious UM Service Error.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
new file mode 100644
index 00000000..e45f5345
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "Event\n| where EventLog =~ \"Application\"\n| where Source startswith \"MSExchange\"\n| where EventLevelName =~ \"error\"\n| where (RenderedDescription startswith \"Watson report\" and RenderedDescription contains \"umworkerprocess\" and RenderedDescription contains \"TextFormattingRunProperties\") or RenderedDescription startswith \"An unhandled exception occurred in a UM worker process\" or RenderedDescription startswith \"The Microsoft Exchange Unified Messaging service\" or RenderedDescription contains \"MSExchange Unified Messaging\"\n| where RenderedDescription !contains \"System.OutOfMemoryException\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious UM Service Error",
+ "enabled": false,
+ "description": "This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "0625fcce-6d52-491e-8c68-1d9b801d25b9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c2f2c269fff6295b90adfc0dcf83e23fc1ac357b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:18 +0000
Subject: [PATCH 172/375] Exported file: HAFNIUM UM Service writing suspicious
file.json.json
---
...UM UM Service writing suspicious file.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
new file mode 100644
index 00000000..c3bd2707
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM UM Service writing suspicious file",
+ "enabled": false,
+ "description": "This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7c7693c289b5235b2a9efa1552cf3822d64ac3f5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:19 +0000
Subject: [PATCH 173/375] Exported file: High Number of Urgent Vulnerabilities
Detected (1).json.json
---
...f Urgent Vulnerabilities Detected (1).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
new file mode 100644
index 00000000..500a2085
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| where Detections_s.Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "be52662c-3b23-435a-a6fa-f39bdfc849e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f937209c57b5d20644485a720e9821719ad51374 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:20 +0000
Subject: [PATCH 174/375] Exported file: High Number of Urgent Vulnerabilities
Detected.json.json
---
...er of Urgent Vulnerabilities Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
new file mode 100644
index 00000000..2cdfbc25
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "3edb7215-250b-40c0-8b46-79093949242d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5c1f88fed2db0cf179bc06e7ec4ec959553c3b4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:21 +0000
Subject: [PATCH 175/375] Exported file: High Urgency Cyberpion Action
Items.json.json
---
.../High Urgency Cyberpion Action Items.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
diff --git a/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
new file mode 100644
index 00000000..cd614521
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe)\n | summarize max(bin(TimeGenerated, time_generated_bucket))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Urgency Cyberpion Action Items",
+ "enabled": false,
+ "description": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
+ "alertRuleTemplateName": "8e0403b1-07f8-4865-b2e9-74d1e83200a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4d1ec18cbac3dcd21d779d24cd860168667a48da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:22 +0000
Subject: [PATCH 176/375] Exported file: High count of connections by client IP
on many ports.json.json
---
...onnections by client IP on many ports.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
diff --git a/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
new file mode 100644
index 00000000..be38502a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet portThreshold = 30;\nW3CIISLog\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of attempts by client IP on many ports\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| extend portCount = arraylength(set_sPort)\n| where portCount >= portThreshold\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\n| order by portCount\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of connections by client IP on many ports",
+ "enabled": false,
+ "description": "Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \nThis could also simply indicate a misconfigured service or device.\nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "44a555d8-ecee-4a25-95ce-055879b4b14b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 475829edb17a576af2f987f7e6799145802b9d3c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:22 +0000
Subject: [PATCH 177/375] Exported file: High count of failed attempts from
same client IP.json.json
---
...f failed attempts from same client IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
new file mode 100644
index 00000000..17f73e2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/837ae291-8946-4918-a036-a22f4da70456')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/837ae291-8946-4918-a036-a22f4da70456')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 1m;\nlet failedThreshold = 20;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed attempts from same client IP\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed attempts from same client IP",
+ "enabled": false,
+ "description": "Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \npotentially block these connections at the edge device.\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \nthat is associated with the client IP.\nReferences:\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "19e01883-15d8-4eb6-a7a5-3276cd668388"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 00d00eddd3813683f7b0f51499e81897e2ea8b0e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:23 +0000
Subject: [PATCH 178/375] Exported file: High count of failed logons by a
user.json.json
---
...High count of failed logons by a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed logons by a user.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed logons by a user.json b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
new file mode 100644
index 00000000..83b847c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed logons by a user\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed logons by a user",
+ "enabled": false,
+ "description": "Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis could be indicative of attempted brute force based on known account information.\nThis could also simply indicate a misconfigured service or device. \nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "884c4957-70ea-4f57-80b9-1bca3890315b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 96f6c113ae690290f8e21861037d9e47eacede63 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:24 +0000
Subject: [PATCH 179/375] Exported file: IP with multiple failed Azure AD
logins successfully logs in to Palo Alto VPN.json.json
---
...successfully logs in to Palo Alto VPN.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
diff --git a/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
new file mode 100644
index 00000000..04938243
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold.\nlet aadFunc = (tableName:string){\nlet suspicious_signins = \n table(tableName)\n //Looking for logon failure results\n | where ResultType !in (\"0\", \"50125\", \"50140\")\n //Exclude localhost addresses to reduce the chance of FPs\n | where IPAddress !in (\"127.0.0.1\", \"::1\")\n | summarize count() by IPAddress\n | where count_ > signin_threshold\n | summarize make_set(IPAddress);\n suspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\nCommonSecurityLog\n //Select only PA VPN sucessful logons\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"globalprotect\"\n | where Message has \"GlobalProtect gateway user authentication succeeded\"\n //Parse out the logon source IP from the Message field to match on\n | extend SourceIP = extract(\"Login from: ([^,]+)\", 1, Message) \n | where SourceIP in (suspicious_signins)\n | extend Reason = \"Multiple failed AAD logins from SourceIP\"\n //Parse out other useful information from Message field\n | extend User = extract('User name: ([^,]+)', 1, Message) \n | extend ClientOS = extract('Client OS version: ([^,\\\"]+)', 1, Message)\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN",
+ "enabled": false,
+ "description": "This query creates a list of IP addresses with a number failed login attempts to AAD \nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\nof these IPs within the same timeframe.",
+ "alertRuleTemplateName": "ba144bf8-75b8-406f-9420-ed74397f9479"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b58e2622f0918182b18b67c5f107da634e8604f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:25 +0000
Subject: [PATCH 180/375] Exported file: Known Barium IP.json.json
---
.../Known Barium IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium IP.json b/SentinelExported-AnalyticsRule/Known Barium IP.json
new file mode 100644
index 00000000..2834837f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer \n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer \n), \n(Event \n| where Source == \"Microsoft-Windows-Sysmon\" \n| where EventID == 3 \n| extend EvData = parse_xml(EventData) \n| extend EventDetail = EvData.DataItem.EventData.Data \n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"] \n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\") \n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n) \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium IP",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1d564fcd6518aa7e736a9989577f4fa2f3f8a328 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:25 +0000
Subject: [PATCH 181/375] Exported file: Known Barium domains.json.json
---
.../Known Barium domains.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium domains.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium domains.json b/SentinelExported-AnalyticsRule/Known Barium domains.json
new file mode 100644
index 00000000..26b4f12c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium domains.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (DnsEvents \n | extend DNSName = Name \n | where isnotempty(DNSName) \n | where DNSName has_any (DomainNames) \n | extend IPAddress = ClientIP \n ), \n (imDns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (DomainNames) \n | extend DNSName = Request_Name\n | extend IPAddress = ClientIP \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPAddress = SourceHost\n ) \n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium domains",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c0d46a205d1dd56ca79a6834df05027438313aba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:26 +0000
Subject: [PATCH 182/375] Exported file: Known CERIUM domains and
hashes.json.json
---
.../Known CERIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
new file mode 100644
index 00000000..6fdffb9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = ClientIP\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known CERIUM domains and hashes",
+ "enabled": false,
+ "description": "CERIUM malicious webserver and hash values for maldocs and malware. \n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.",
+ "alertRuleTemplateName": "c87fb346-ea3a-4c64-ba92-3dd383e0f0b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 140d0b1b6efe7e57b2b5957a88fc83b262413e0e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:27 +0000
Subject: [PATCH 183/375] Exported file: Known GALLIUM domains and
hashes.json.json
---
.../Known GALLIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
new file mode 100644
index 00000000..360e64e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n( imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA1=' SHA1 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| extend Account = UserName\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known GALLIUM domains and hashes",
+ "enabled": false,
+ "description": "GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ",
+ "alertRuleTemplateName": "26a3b261-b997-4374-94ea-6c37f67f4f39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd49cf4ff27f287f4514d29dd44c5d677694b816 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:28 +0000
Subject: [PATCH 184/375] Exported file: Known IRIDIUM IP.json.json
---
.../Known IRIDIUM IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
diff --git a/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
new file mode 100644
index 00000000..ca0ee39c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known IRIDIUM IP",
+ "enabled": false,
+ "description": "IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.",
+ "alertRuleTemplateName": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b18ef48552520e55e53a9fb235d34732ab8482db Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:28 +0000
Subject: [PATCH 185/375] Exported file: Known Malware Detected.json.json
---
.../Known Malware Detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Malware Detected.json
diff --git a/SentinelExported-AnalyticsRule/Known Malware Detected.json b/SentinelExported-AnalyticsRule/Known Malware Detected.json
new file mode 100644
index 00000000..4ab955a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Malware Detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known Malware Detected",
+ "enabled": false,
+ "description": "This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.",
+ "alertRuleTemplateName": "9f86885f-f31f-4e66-a39d-352771ee789e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 544e5fecb079b23cb7cb53adf60b8a9790a99b24 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:29 +0000
Subject: [PATCH 186/375] Exported file: Known Manganese IP and UserAgent
activity.json.json
---
...n Manganese IP and UserAgent activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
diff --git a/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
new file mode 100644
index 00000000..74a8e5d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Known Manganese IP and UserAgent activity",
+ "enabled": false,
+ "description": "Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\nReferences: \nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\nhttps://fortiguard.com/psirt/FG-IR-18-384",
+ "alertRuleTemplateName": "a04cf847-a832-4c60-b687-b0b6147da219"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9973722014e6b4e05fdf3c68bdb0b72e12afa481 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:30 +0000
Subject: [PATCH 187/375] Exported file: Known NICKEL domains and
hashes.json.json
---
.../Known NICKEL domains and hashes.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
new file mode 100644
index 00000000..9ebf81c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known NICKEL domains and hashes",
+ "enabled": false,
+ "description": "IOC domains and hash values for tools and malware used by NICKEL. \n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.",
+ "alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ec7f46f924d38f46ee2c1fe44073665f9477d50b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:31 +0000
Subject: [PATCH 188/375] Exported file: Known PHOSPHORUS group domains_IP -
October 2020.json.json
---
...HORUS group domains_IP - October 2020.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
diff --git a/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
new file mode 100644
index 00000000..9e2d991a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known PHOSPHORUS group domains/IP - October 2020",
+ "enabled": false,
+ "description": "Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: ",
+ "alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4185e2ded090752fe48f7ee25c9251a73c3153be Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:31 +0000
Subject: [PATCH 189/375] Exported file: Known Phosphorus group
domains_IP.json.json
---
.../Known Phosphorus group domains_IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
new file mode 100644
index 00000000..ac14a690
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\", \n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(imDns\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPCustomEntity = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Phosphorus group domains/IP",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.",
+ "alertRuleTemplateName": "155f40c6-610d-497d-85fc-3cf06ec13256"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98364e81f30d849b16d1082eac5b36b145e46513 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:32 +0000
Subject: [PATCH 190/375] Exported file: Known STRONTIUM group domains - July
2019.json.json
---
...n STRONTIUM group domains - July 2019.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
diff --git a/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
new file mode 100644
index 00000000..8400e3be
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"irf.services\",\"microsoft-onthehub.com\",\"msofficelab.com\",\"com-mailbox.com\",\"my-sharefile.com\",\"my-sharepoints.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\n\"onedrive-sharedfile.com\",\"onedrv-live.com\",\"transparencyinternational-my-sharepoint.com\",\"transparencyinternational-my-sharepoints.com\",\"soros-my-sharepoint.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\n(DnsEvents \n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\n(imDns (domain_has_any=DomainNames)\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPAddress = RemoteIp, Host = Computer),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost)\n)\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known STRONTIUM group domains - July 2019",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.",
+ "alertRuleTemplateName": "074ce265-f684-41cd-af07-613c5f3e6d0d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d5257ffc8590f5975fb902ecdf52a5914006373e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:33 +0000
Subject: [PATCH 191/375] Exported file: Known ZINC Comebacker and Klackring
malware hashes.json.json
---
...mebacker and Klackring malware hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
new file mode 100644
index 00000000..e47bd107
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(DnsEvents\n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend Type = \"DnsEvents\", IPAddress = ClientIP\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC Comebacker and Klackring malware hashes",
+ "enabled": false,
+ "description": "ZINC attacks against security researcher campaign malware hashes.",
+ "alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bce458a10107f04997bd06c1fd092e1308ee3f24 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:34 +0000
Subject: [PATCH 192/375] Exported file: Known ZINC related maldoc
hash.json.json
---
.../Known ZINC related maldoc hash.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
new file mode 100644
index 00000000..c3947948
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC related maldoc hash",
+ "enabled": false,
+ "description": "Document hash used by ZINC in highly targeted spear phishing campaign.",
+ "alertRuleTemplateName": "3174a9ec-d0ad-4152-8307-94ed04fa450a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2d61c192315e86d189a91580f612a50eb4e352f6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:34 +0000
Subject: [PATCH 193/375] Exported file: Linked Malicious Storage
Artifacts.json.json
---
.../Linked Malicious Storage Artifacts.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
diff --git a/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
new file mode 100644
index 00000000..ee6c08b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Collect the alert events\nlet alertData = SecurityAlert \n| where DisplayName has \"Potential malware uploaded to\" \n| extend Entities = parse_json(Entities) \n| mv-expand Entities;\n//Parse the IP address data\nlet ipData = alertData \n| where Entities['Type'] =~ \"ip\" \n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\n//Parse the file data\nlet FileData = alertData \n| where Entities['Type'] =~ \"file\" \n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\n//Combine the File and IP data together\nipData \n| join (FileData) on VendorOriginalId \n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\n//Create a type column so we can track if it was a File storage or blobl storage upload \n| extend type = iff(DisplayName has \"file\", \"File\", \"Blob\") \n| join (\n union\n StorageFileLogs, \n StorageBlobLogs \n //File upload operations \n | where OperationName =~ \"PutBlob\" or OperationName =~ \"PutRange\"\n //Parse out the uploader IP \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0])\n //Extract the filename from the Uri \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri)\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\n //We can work around this by making it an array then converting it to hex from an int \n | extend base64Char = base64_decode_toarray(ResponseMd5) \n | mv-expand base64Char \n | extend hexChar = tohex(toint(base64Char))\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\"0\", hexChar), hexChar) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \n | extend Md5Hash = strcat_array(list_hexChar, \"\")\n //Pack the file information the summarise into a ClientIP row \n | extend p = pack(\"FileName\", FileName, \"FileSize\", RequestBodySize, \"Md5Hash\", Md5Hash, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \n | join kind=leftouter (\n union\n StorageFileLogs,\n StorageBlobLogs \n | where OperationName =~ \"DeleteFile\" or OperationName =~ \"DeleteBlob\" \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0]) \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | extend p = pack(\"FileName\", FileName, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\n ) on ClientIP\n ) on $left.AttackerIP == $right.ClientIP \n| mvexpand UploadedFileInfo \n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \"MD5\", IPCustomEntity = AttackerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Linked Malicious Storage Artifacts",
+ "enabled": false,
+ "description": "An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.",
+ "alertRuleTemplateName": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f9c9acf73010b675f5f5afafcf64183d28be407 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:35 +0000
Subject: [PATCH 194/375] Exported file: Log4j vulnerability exploit aka
Log4Shell IP IOC.json.json
---
...rability exploit aka Log4Shell IP IOC.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
diff --git a/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
new file mode 100644
index 00000000..d3dd465c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"No Match\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch, LogType = Type \n| extend timestamp = StartTime, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"No Match\")\n),\n(OfficeActivity \n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account, LogType = Type\n),\n(DnsEvents\n| where IPAddresses has_any (IPList)\n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imNetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr, LogType = Type\n),\n (VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer, LogType = Type\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"), LogType = Type\n),\n(WireData\n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, LogType = Type\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, LogType = Type\n),\n(AzureActivity\n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, LogType = Type\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, LogType = Type\n), \n( \nDeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"java.exe\" and ProcessCommandLine has_all ('curl -s','wget') or\nProcessCommandLine has_all ('curl',@'${jndi') or \nProcessCommandLine has_any (\"${jndi:ldap://\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop://\",\"${jndi:\",'${web:','${jvmrunargs:')\n| extend LogType = Type\n),\n(\nDeviceNetworkEvents\n| where RemoteIP in(IPList) and ActionType != \"ConnectionFailed\"\n| extend LogType = Type\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Log4j vulnerability exploit aka Log4Shell IP IOC",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228",
+ "alertRuleTemplateName": "6e575295-a7e6-464c-8192-3e1d8fd6a990"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 138eb987e245b9c9ffb03d80872b1a76850211c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:36 +0000
Subject: [PATCH 195/375] Exported file: Login to AWS Management Console
without MFA.json.json
---
...to AWS Management Console without MFA.json | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
diff --git a/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
new file mode 100644
index 00000000..cde09b40
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation",
+ "Persistence",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Login to AWS Management Console without MFA",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "alertRuleTemplateName": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2ca657c1698c69b1aa3f968b89137d9657925296 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:37 +0000
Subject: [PATCH 196/375] Exported file: MFA Rejected by User.json.json
---
.../MFA Rejected by User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA Rejected by User.json
diff --git a/SentinelExported-AnalyticsRule/MFA Rejected by User.json b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
new file mode 100644
index 00000000..bd685e97
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\"\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA Rejected by User",
+ "enabled": false,
+ "description": "Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "d99cf5c3-d660-436c-895b-8a8f8448da23"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c570184e2fe6b4054deceddfaac3d4f042b7e995 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:37 +0000
Subject: [PATCH 197/375] Exported file: MFA disabled for a user.json.json
---
.../MFA disabled for a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA disabled for a user.json
diff --git a/SentinelExported-AnalyticsRule/MFA disabled for a user.json b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
new file mode 100644
index 00000000..32292735
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(AuditLogs \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA disabled for a user",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ",
+ "alertRuleTemplateName": "65c78944-930b-4cae-bd79-c3664ae30ba7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 61179200ece676eb9759c15bb5d9d01f194b34b4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:38 +0000
Subject: [PATCH 198/375] Exported file: MSHTML vulnerability CVE-2021-40444
attack.json.json
---
...L vulnerability CVE-2021-40444 attack.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
diff --git a/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
new file mode 100644
index 00000000..d7624dab
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "MSHTML vulnerability CVE-2021-40444 attack",
+ "enabled": false,
+ "description": "This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \".cpl:../../msword.inf\"\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
+ "alertRuleTemplateName": "972c89fa-c969-4d12-932f-04d55d145299"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d26389f0250266d98ab21386d0e2a5566e92f80a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:39 +0000
Subject: [PATCH 199/375] Exported file: Mail redirect via ExO transport
rule.json.json
---
.../Mail redirect via ExO transport rule.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
diff --git a/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
new file mode 100644
index 00000000..1da049e2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName = case(\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\n \"Unknown\"\n ) \n| mvexpand p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly = case( \n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), \n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), \n ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\n ClientIP\n ) \n| extend Port = case(\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n ClientIP\n )\n| extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Mail redirect via ExO transport rule",
+ "enabled": false,
+ "description": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.",
+ "alertRuleTemplateName": "500415fb-bba7-4227-a08a-9857fb61b6a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 68f6e7b06aba7551678b475edf0a5282f1ffa921 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:40 +0000
Subject: [PATCH 200/375] Exported file: Mail.Read Permissions Granted to
Application.json.json
---
...ad Permissions Granted to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
diff --git a/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
new file mode 100644
index 00000000..44975a82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nAuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| project-away props\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | extend AppName = tostring(TargetResources[0].displayName)\n | extend AppId = tostring(TargetResources[0].id)\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Mail.Read Permissions Granted to Application",
+ "enabled": false,
+ "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
+ "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7f8feb5d49bc415a5ba96d70c4765da9e611db91 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:40 +0000
Subject: [PATCH 201/375] Exported file: Malformed user agent.json.json
---
.../Malformed user agent.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malformed user agent.json
diff --git a/SentinelExported-AnalyticsRule/Malformed user agent.json b/SentinelExported-AnalyticsRule/Malformed user agent.json
new file mode 100644
index 00000000..085e69a9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malformed user agent.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(OfficeActivity | where UserAgent != \"\"),\n(OfficeActivity\n| where RecordType in (\"AzureActiveDirectory\", \"AzureActiveDirectoryStsLogon\")\n| extend OperationName = Operation\n| parse ExtendedProperties with * 'User-Agent\\\\\":\\\\\"' UserAgent2 '\\\\' *\n| parse ExtendedProperties with * 'UserAgent\", \"Value\": \"' UserAgent1 '\"' *\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(AzureDiagnostics\n| where ResourceType =~ \"APPLICATIONGATEWAYS\" \n| where OperationName =~ \"ApplicationGatewayAccess\" \n| extend ClientIP = columnifexists(\"clientIP_s\", \"None\"), UserAgent = columnifexists(\"userAgent_s\", \"None\")\n| where UserAgent != '-'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\n),\n(\nW3CIISLog\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n),\n(SigninLogs\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n)\n)\n// Likely artefact of hardcoding\n| where UserAgent startswith \"User\" or UserAgent startswith '\\\"'\n// Incorrect casing\nor (UserAgent startswith \"Mozilla\" and not(UserAgent containscs \"Mozilla\"))\n// Incorrect casing\nor UserAgent containscs \"(Compatible;\"\n// Missing MSIE version\nor UserAgent matches regex @\"MSIE\\s?;\"\n// Incorrect spacing around MSIE version\nor UserAgent matches regex @\"MSIE(?:\\d|.{1,5}?\\d\\s;)\"\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Malformed user agent",
+ "enabled": false,
+ "description": "Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\nMalformed user agents can be an indication of such malware.",
+ "alertRuleTemplateName": "a357535e-f722-4afe-b375-cff362b2b376"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c42529a1b250bacceb4015e1cb2bebeb8aa078cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:41 +0000
Subject: [PATCH 202/375] Exported file: Malicious Inbox Rule.json.json
---
.../Malicious Inbox Rule.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
diff --git a/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
new file mode 100644
index 00000000..42b68850
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\nOfficeActivity\n| where Operation =~ \"New-InboxRule\"\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has \"DeleteMessage\"\n| extend Events=todynamic(Parameters)\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\n| where SubjectContainsWords has_any (Keywords)\n or BodyContainsWords has_any (Keywords)\n or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malicious Inbox Rule",
+ "enabled": false,
+ "description": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/",
+ "alertRuleTemplateName": "7b907bf7-77d4-41d0-a208-5643ff75bf9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c2ae8cdeb19969ced64a9b750c051ff273d08c18 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:42 +0000
Subject: [PATCH 203/375] Exported file: Malicious web application requests
linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
alerts.json.json
---
...rmerly Microsoft Defender ATP) alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
diff --git a/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
new file mode 100644
index 00000000..bbd554cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]); \nlet alertData = materialize(SecurityAlert \n| where TimeGenerated > ago(alertTimeWindow) \n| where ProviderName == \"MDATP\" \n// Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) \n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\" \n| where alertData.Name has_any(scriptExtensions) \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId \n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join ( \n// Find requests that were made to this file on the impacted server in the W3CIISLog table \nW3CIISLog \n| where TimeGenerated > ago(logTimeWindow) \n// Restrict to accesses to script extensions \n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n// Expose the attacker ip address as a custom entity\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts",
+ "enabled": false,
+ "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.",
+ "alertRuleTemplateName": "fbfbf530-506b-49a4-81ad-4030885a195c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 805d7251b7829d9f44c1f0fc219ef50c23ead6d0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:43 +0000
Subject: [PATCH 204/375] Exported file: Malware in the recycle bin (Normalized
Process Events).json.json
---
...cycle bin (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
new file mode 100644
index 00000000..95da1d03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]); \nimProcessCreate\n| where CommandLine has \"recycler\"\n| where Process has_any (procList)\n| extend FileName = tostring(split(Process, '\\\\')[-1])\n| where FileName in~ (procList)\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "61988db3-0565-49b5-b8e3-747195baac6e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 86a0951919046945529287b3afcb81f406949b33 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:44 +0000
Subject: [PATCH 205/375] Exported file: Malware in the recycle bin.json.json
---
.../Malware in the recycle bin.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin.json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin.json b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
new file mode 100644
index 00000000..89fa2d07
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.",
+ "alertRuleTemplateName": "75bf9902-0789-47c1-a5d8-f57046aa72df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6c31a33de73106d714d8090a6c7d6d0e7397b9ea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:45 +0000
Subject: [PATCH 206/375] Exported file: Mass secret retrieval from Azure Key
Vault.json.json
---
...secret retrieval from Azure Key Vault.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
diff --git a/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
new file mode 100644
index 00000000..830e90fb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventCountThreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList) \n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\n| where count_ > EventCountThreshold \n| join (\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where OperationName in~ (OperationList) \n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Mass secret retrieval from Azure Key Vault",
+ "enabled": false,
+ "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+ "alertRuleTemplateName": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0c983004fcdb3a01be3326b2e1b3157de7a8374e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:46 +0000
Subject: [PATCH 207/375] Exported file: Microsoft COVID-19 file hash indicator
matches.json.json
---
... COVID-19 file hash indicator matches.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
diff --git a/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
new file mode 100644
index 00000000..da0a76f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Microsoft COVID-19 file hash indicator matches",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/",
+ "alertRuleTemplateName": "2be4ef67-a93f-4d8a-981a-88158cb73abd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ebe6f6a35d306af17aba844eea5be8269bc454ec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:47 +0000
Subject: [PATCH 208/375] Exported file: Modified domain federation trust
settings.json.json
---
...fied domain federation trust settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
diff --git a/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
new file mode 100644
index 00000000..bc30cc1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n| mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where NewDomainValue has \"Federated\"\n)\n)\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Modified domain federation trust settings",
+ "enabled": false,
+ "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a310b260bb62ec1942a3307705bbc725b6b31fe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:47 +0000
Subject: [PATCH 209/375] Exported file: Monitor AWS Credential abuse or
hijacking.json.json
---
...tor AWS Credential abuse or hijacking.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
diff --git a/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
new file mode 100644
index 00000000..3a788cd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"GetCallerIdentity\" and UserIdentityType =~ \"AssumedRole\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n| sort by EndTime desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Monitor AWS Credential abuse or hijacking",
+ "enabled": false,
+ "description": "Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html ",
+ "alertRuleTemplateName": "32555639-b639-4c2b-afda-c0ae0abefa55"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f367b8db6f4987b373c8ca498a807e26e4a854a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:48 +0000
Subject: [PATCH 210/375] Exported file: Multiple Password Reset by
user.json.json
---
.../Multiple Password Reset by user.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
new file mode 100644
index 00000000..d4e7b35e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet PerUserThreshold = 5;\nlet TotalThreshold = 100;\nlet action = dynamic([\"change\", \"changed\", \"reset\"]);\nlet pWord = dynamic([\"password\", \"credentials\"]);\nlet PasswordResetMultiDataSource =\n(union isfuzzy=true\n(//Password reset events\n//4723: An attempt was made to change an account's password\n//4724: An attempt was made to reset an accounts password\nSecurityEvent\n| where EventID in (\"4723\",\"4724\")\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\n(//Azure Active Directory Password reset events\nAuditLogs\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \"success\"\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \nTargetUserName = tolower(tostring(TargetResources[0].displayName))\n| project TimeGenerated, AccountType, Account, Computer = \"\", Type),\n(//OfficeActive ActiveDirectory Password reset events\nOfficeActivity\n| where OfficeWorkload == \"AzureActiveDirectory\" \n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\n| extend AccountType = UserType, Account = OfficeObjectId \n| project TimeGenerated, AccountType, Account, Type, Computer = \"\"),\n(// Unix syslog password reset events\nSyslog\n| where Facility in (\"auth\",\"authpriv\")\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\n| extend AccountType = iif(SyslogMessage contains \"root\", \"Root\", \"Non-Root\")\n| where SyslogMessage matches regex \".*password changed for.*\"\n| parse SyslogMessage with * \"password changed for\" Account\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\n);\nlet pwrmd = PasswordResetMultiDataSource\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\n(union isfuzzy=true \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\n| where Total > PerUserThreshold\n| extend ResetPivot = \"PerUserReset\"), \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\n| where Total > TotalThreshold\n| extend ResetPivot = \"TotalUserReset\")\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Password Reset by user",
+ "enabled": false,
+ "description": "This query will determine multiple password resets by user across multiple data sources. \nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \nand certain permission levels within an environment.",
+ "alertRuleTemplateName": "0b9ae89d-8cad-461c-808f-0494f70ad5c4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3296db5ae2b91b04d3c69c3779bfe13345fb5d24 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:49 +0000
Subject: [PATCH 211/375] Exported file: Multiple RDP connections from Single
System.json.json
---
...le RDP connections from Single System.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
diff --git a/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
new file mode 100644
index 00000000..7e1b85c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName\n| join kind=leftouter (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\n) on Account, IpAddress\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\n// Where the ratio of today to previous 7 days is more than double.\n| where Ratio > threshold\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Multiple RDP connections from Single System",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \nConnections from the same system with the same account within the same day.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "78422ef2-62bf-48ca-9bab-72c69818a425"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bf9b455b40a8fc1dbf05cd4bcbc1ce6bc0a36ec0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:50 +0000
Subject: [PATCH 212/375] Exported file: Multiple Teams deleted by a single
user.json.json
---
...ltiple Teams deleted by a single user.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
new file mode 100644
index 00000000..71af8d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// Adjust this value to change how many Teams should be deleted before including\nlet max_delete_count = 3;\n// Adjust this value to change the timewindow the query runs over\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\" \n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\n| where array_length(DeletedTeams) > max_delete_count\n| extend timestamp = StartTime, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Teams deleted by a single user",
+ "enabled": false,
+ "description": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.",
+ "alertRuleTemplateName": "173f8699-6af5-484a-8b06-8c47ba89b380"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f65990133269dafde1c9a60f9bf9838854fc5c30 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:50 +0000
Subject: [PATCH 213/375] Exported file: Multiple users email forwarded to same
destination.json.json
---
...s email forwarded to same destination.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
diff --git a/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
new file mode 100644
index 00000000..4346f1d9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where Operation =~ \"Set-Mailbox\"\n| where Parameters has \"ForwardingSmtpAddress\"\n| extend parsed = parse_json(Parameters)\n| mv-expand parsed\n| where parsed.Name == \"ForwardingSmtpAddress\"\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\n| where isnotempty(fwdingDestination)\n| extend ClientIPOnly = case( \nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[0]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[0]), \nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[0]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[0]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n) \n| extend Port = case(\nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[1]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[1]), \nClientIP has ']-', tostring(split(ClientIP,\"]-\")[1]), \nClientIP has ']:', tostring(split(ClientIP,\"]:\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[1]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\"]-\")[1]),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\"]:\")[1]),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n)\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \n| where DistinctUserCount > 1\n| mv-expand UserId\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Multiple users email forwarded to same destination",
+ "enabled": false,
+ "description": "Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.",
+ "alertRuleTemplateName": "871ba14c-88ef-48aa-ad38-810f26760ca3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5c86d508fd856e3de19284beed289ab9ad7bdf5a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:51 +0000
Subject: [PATCH 214/375] Exported file: NOBELIUM - Domain and IP IOCs - March
2021.json.json
---
...IUM - Domain and IP IOCs - March 2021.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
new file mode 100644
index 00000000..bb90e636
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\nlet IPList = dynamic(['185.225.69.69']);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain and IP IOCs - March 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "bb8a3481-dd14-4e76-8dcc-bbec8776d695"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ce7b7c9b1b378e7403cae4554b72a48705c61ce2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:52 +0000
Subject: [PATCH 215/375] Exported file: NOBELIUM - Domain, Hash and IP IOCs -
May 2021.json.json
---
...- Domain, Hash and IP IOCs - May 2021.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
new file mode 100644
index 00000000..7c8dfcb9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain, Hash and IP IOCs - May 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9729c45f8cdf011f50676a84c8d3d8ad9cae0994 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:53 +0000
Subject: [PATCH 216/375] Exported file: NOBELIUM - Script payload stored in
Registry.json.json
---
...M - Script payload stored in Registry.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
new file mode 100644
index 00000000..6cef6629
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let cmdTokens0 = dynamic(['vbscript','jscript']);\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\nSecurityEvent\n| where TimeGenerated >= ago(14d)\n| where EventID == 4688\n| where CommandLine has @'\\Microsoft\\Windows\\CurrentVersion'\n| where not(CommandLine has_any (@'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', @'\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'))\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\n//| where CommandLine has_any (cmdTokens0)\n//| where CommandLine has_all (cmdTokens1)\n| where CommandLine has_all (cmdTokens2)\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Script payload stored in Registry",
+ "enabled": false,
+ "description": "This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "00cb180c-08a8-4e55-a276-63fb1442d5b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7c7777dc89c3b48eef439dc20a458226d8723668 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:53 +0000
Subject: [PATCH 217/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript (Normalized Process Events).json.json
---
... vbscript (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
new file mode 100644
index 00000000..052758f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "bdf04f58-242b-4729-b376-577c4bdf5d3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6021efaa4ca119c5314e372d3253841812658606 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:54 +0000
Subject: [PATCH 218/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript.json.json
---
...us rundll32.exe execution of vbscript.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
new file mode 100644
index 00000000..db510457
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4688\n| where Process =~ 'rundll32.exe' \n| where CommandLine has_all ('Execute','RegRead','window.close')\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "d82e1987-4356-4a7b-bc5e-064f29b143c0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8f25c0ee5e5da3d89a11468368e0a03104c6afa8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:55 +0000
Subject: [PATCH 219/375] Exported file: NOBELIUM IOCs related to FoggyWeb
backdoor.json.json
---
...IUM IOCs related to FoggyWeb backdoor.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
new file mode 100644
index 00000000..aa714c41
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"..\",\n\"..\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM IOCs related to FoggyWeb backdoor",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\n Reference: https://aka.ms/nobelium-foggy-web",
+ "alertRuleTemplateName": "c37711a4-5f44-4472-8afc-0679bc0ef966"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4f729104eb54c13cf4d04f81dbec500d9adfb2cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:56 +0000
Subject: [PATCH 220/375] Exported file: Network endpoint to host executable
correlation.json.json
---
...dpoint to host executable correlation.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
diff --git a/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
new file mode 100644
index 00000000..af693c3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d012df68-9c36-431a-acc1-704063e21101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d012df68-9c36-431a-acc1-704063e21101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endpointData = \n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n );\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Network endpoint to host executable correlation",
+ "enabled": false,
+ "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
+ "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71895e5db962f622dccb43c44877d427602f8064 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:56 +0000
Subject: [PATCH 221/375] Exported file: New Agent Added to Pool by New User or
Added to a New OS Type_.json.json
---
...y New User or Added to a New OS Type_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
diff --git a/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
new file mode 100644
index 00000000..9ce08ffd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\n// exclude allowed users from query such as the ADO service\nlet allowed_users = dynamic([\"Azure DevOps Service\"]);\nunion\n// Look for agents being added to a pool of a OS type not seen with that pool before\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])\n| project AgentPoolName, OsDescription\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])) on AgentPoolName, OsDescription),\n// Look for users addeing agents to a pool that they have not added agents to before.\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| where ActorUPN !in (allowed_users)\n| project AgentPoolName, ActorUPN\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n) on AgentPoolName, ActorUPN)\n| extend AgentName = tostring(Data.AgentName)\n| extend OsDescription = tostring(Data.OsDescription)\n| extend SystemDetails = Data.SystemCapabilities\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New Agent Added to Pool by New User or Added to a New OS Type.",
+ "enabled": false,
+ "description": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \nconfigurable allow list to allow for certain users to be excluded from the logic.",
+ "alertRuleTemplateName": "4ce177b3-56b1-4f0e-b83e-27eed4cb0b16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 428dace5426311e2cf4f8f45097148053f70aa2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:57 +0000
Subject: [PATCH 222/375] Exported file: New CloudShell User.json.json
---
.../New CloudShell User.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New CloudShell User.json
diff --git a/SentinelExported-AnalyticsRule/New CloudShell User.json b/SentinelExported-AnalyticsRule/New CloudShell User.json
new file mode 100644
index 00000000..52d70ed6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New CloudShell User.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\") \n| where ActivityStatusValue == \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\") \n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New CloudShell User",
+ "enabled": false,
+ "description": "Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only expected user are using CloudShell",
+ "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1efcef8f88552b0c3cd2c56ee7500199466aba5e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:58 +0000
Subject: [PATCH 223/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts (1).json.json
---
...ty Detected Across Multiple Hosts (1).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
new file mode 100644
index 00000000..caab1b82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "6116dc19-475a-4148-84b2-efe89c073e27"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0e1be4655df9ed33bb8e5ef7ddcc9038ca4ed1b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:17:59 +0000
Subject: [PATCH 224/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts.json.json
---
...bility Detected Across Multiple Hosts.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
new file mode 100644
index 00000000..82fd3921
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "84cf1d59-f620-4fee-b569-68daf7008b7b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 27a8038945ed109a99b79e3363771af149eba5ce Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:00 +0000
Subject: [PATCH 225/375] Exported file: New PA, PCA, or PCAS added to Azure
DevOps.json.json
---
...A, PCA, or PCAS added to Azure DevOps.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
diff --git a/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
new file mode 100644
index 00000000..3e492d79
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Group.UpdateGroupMembership.Add\"\n| where Details has_any (\"Project Administrators\", \"Project Collection Administrators\", \"Project Collection Service Accounts\", \"Build Administrator\")\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\n| extend timekey = bin(TimeGenerated, 1h)\n| extend ActorUserId = tostring(Data.MemberId)\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\n// Get details of operations conducted by user soon after elevation of permissions\n| join (AzureDevOpsAuditing\n| extend ActorUserId = tostring(Data.MemberId)\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New PA, PCA, or PCAS added to Azure DevOps",
+ "enabled": false,
+ "description": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \nshould also be conducted.",
+ "alertRuleTemplateName": "35ce9aff-1708-45b8-a295-5e9a307f5f17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 33d7087527ddcd1be58e61e700a9f8ede1e8c58a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:01 +0000
Subject: [PATCH 226/375] Exported file: New UserAgent observed in last 24
hours.json.json
---
...w UserAgent observed in last 24 hours.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
diff --git a/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
new file mode 100644
index 00000000..ffd6f64e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New UserAgent observed in last 24 hours",
+ "enabled": false,
+ "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
+ "alertRuleTemplateName": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 11ed20cd0909d4702f9b5b1bf678e4b4f6278405 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:01 +0000
Subject: [PATCH 227/375] Exported file: New access credential added to
Application or Service Principal.json.json
---
...d to Application or Service Principal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
diff --git a/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
new file mode 100644
index 00000000..45837da8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New access credential added to Application or Service Principal",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "79566f41-df67-4e10-a703-c38a6213afd8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8ee5daefb95bf0ed916b804fd4bf1c48a9173e07 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:02 +0000
Subject: [PATCH 228/375] Exported file: New executable via Office FileUploaded
Operation.json.json
---
...ble via Office FileUploaded Operation.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
diff --git a/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
new file mode 100644
index 00000000..038be497
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// a threshold can be enabled, see commented line below for PrevSeenCount\nlet threshold = 2;\nlet uploadOp = 'FileUploaded';\n// Extensions that are interesting. Add/Remove to this list as you see fit\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\nlet starttime = 8d;\nlet endtime = 1d;\nOfficeActivity | where TimeGenerated >= ago(endtime)\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \"upload\" or Operation contains \"download\"\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\n| join kind= leftanti (\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\n//| where PrevSeenCount > threshold\n| mvexpand SourceRelativeUrl, UserId\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId \n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_',UserId))\n// identify when UserId is not a match to the specific site url personal folder reference\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "New executable via Office FileUploaded Operation",
+ "enabled": false,
+ "description": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\nAdditionally, identifies when a given user is uploading these files to another users workspace.\nThis may be indication of a staging location for malware or other malicious activity.",
+ "alertRuleTemplateName": "d722831e-88f5-4e25-b106-4ef6e29f8c13"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a3f14aaab60f6c4e20444aa65ae21c52495df24d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:03 +0000
Subject: [PATCH 229/375] Exported file: New internet-exposed SSH
endpoints.json.json
---
.../New internet-exposed SSH endpoints.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
diff --git a/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
new file mode 100644
index 00000000..77ac33c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'; \nlet avgthreshold = 0;\nlet probabilityLimit = 0.01;\nlet ssh_logins = Syslog\n| where Facility contains \"auth\" and ProcessName =~ \"sshd\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) \n| where isnotempty(SourceIP)\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\");\nssh_logins \n| summarize privatecount=countif(ipType==\"private\"), publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, 1d)\n| summarize \npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\n(\n order by todatetime(publicIPLoginHistory['logon_time']) asc\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\n)\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\n(\n order by todatetime(privateIPLoginHistory['logon_time']) asc\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\n)\n// Some logins from private IPs\n| where privateAverage > avgthreshold\n// There is a non-zero number of logins from public IPs\n| where publicAverage > avgthreshold\n// Approximate probability of seeing login from a public IP is < 1%\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\n| where probabilityPublic < probabilityLimit\n// Today has the highest number of logins from public IPs that we've seen in the last week\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\n| where publicLoginCountToday >= maxPublicLoginCount\n| extend HostCustomEntity = HostName\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\n// | join kind=rightsemi (\n// ssh_logins\n// | where ipType == \"public\"\n// ) on HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New internet-exposed SSH endpoints",
+ "enabled": false,
+ "description": "Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.",
+ "alertRuleTemplateName": "4915c713-ab38-432e-800b-8e2d46933de6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 22562333f2fac452158604843c3b2ef0f3687d34 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:04 +0000
Subject: [PATCH 230/375] Exported file: New user created and added to the
built-in administrators group.json.json
---
... to the built-in administrators group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
diff --git a/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
new file mode 100644
index 00000000..5c94c4cb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "SecurityEvent\n| where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\n| join (\nSecurityEvent \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "New user created and added to the built-in administrators group",
+ "enabled": false,
+ "description": "Identifies when a user account was created and then added to the builtin Administrators group in the same day.\nThis should be monitored closely and all additions reviewed.",
+ "alertRuleTemplateName": "aa1eff90-29d4-49dc-a3ea-b65199f516db"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b128dd931b5167b466c7f9be2cac8393cc32756b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:05 +0000
Subject: [PATCH 231/375] Exported file: Non Domain Controller Active Directory
Replication.json.json
---
...ntroller Active Directory Replication.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
diff --git a/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
new file mode 100644
index 00000000..c5cfad18
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Non Domain Controller Active Directory Replication",
+ "enabled": false,
+ "description": "This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html'",
+ "alertRuleTemplateName": "b9d2eebc-5dcb-4888-8165-900db44443ab"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 189bc3198f55b39647e2056a6852ebe00054bcd9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:05 +0000
Subject: [PATCH 232/375] Exported file: OMI Vulnerability
Exploitation.json.json
---
.../OMI Vulnerability Exploitation.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
diff --git a/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
new file mode 100644
index 00000000..c84ef3f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major
Date: Thu, 2 Mar 2023 02:18:07 +0000
Subject: [PATCH 233/375] Exported file: Office policy tampering.json.json
---
.../Office policy tampering.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Office policy tampering.json
diff --git a/SentinelExported-AnalyticsRule/Office policy tampering.json b/SentinelExported-AnalyticsRule/Office policy tampering.json
new file mode 100644
index 00000000..319b74f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Office policy tampering.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let opList = OfficeActivity \n| summarize by Operation\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\n| where Operation has_any (\"Remove\", \"Disable\")\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\n| summarize make_set(Operation);\nOfficeActivity\n// Only admin or global-admin can disable/remove policy\n| where RecordType =~ \"ExchangeAdmin\"\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// Pass in interesting Operation list\n| where Operation in~ (opList)\n| extend ClientIPOnly = case( \nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP\n) \n| extend Port = case(\nClientIP has \".\", (split(ClientIP,\":\")[1]),\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\nClientIP\n)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Office policy tampering",
+ "enabled": false,
+ "description": "Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.",
+ "alertRuleTemplateName": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2d48db00c9f2369a11379c778a7484aeeb8003fe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:07 +0000
Subject: [PATCH 234/375] Exported file: PIM Elevation Request
Rejected.json.json
---
.../PIM Elevation Request Rejected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
diff --git a/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
new file mode 100644
index 00000000..dec0deb4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result == \"failure\"\n| extend Role = tostring(TargetResources[3].displayName)\n| extend User = tostring(TargetResources[2].displayName)\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "PIM Elevation Request Rejected",
+ "enabled": false,
+ "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "7d7e20f8-3384-4b71-811c-f5e950e8306c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71a3a5c3ce31502eb415038f1f86c01ed38022a7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:08 +0000
Subject: [PATCH 235/375] Exported file: Palo Alto - possible internal to
external port scanning.json.json
---
...le internal to external port scanning.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
new file mode 100644
index 00000000..1a1c74aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog \n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\") \n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer != \"\" \n| where DestinationIP !startswith \"10.\"\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \n| where AdditionalExtensions !has \"reason=aged-out\" \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where AdditionalExtensions !has \"reason=tcp-fin\" \n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - possible internal to external port scanning",
+ "enabled": false,
+ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK",
+ "alertRuleTemplateName": "5b72f527-e3f6-4a00-9908-8e4fee14da9f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1f8217e9d2733072898dcc4fc9cf5035dbed7f84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:09 +0000
Subject: [PATCH 236/375] Exported file: Palo Alto - potential beaconing
detected.json.json
---
...o Alto - potential beaconing detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
new file mode 100644
index 00000000..88c05774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (ago(starttime)..ago(endtime))\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - potential beaconing detected",
+ "enabled": false,
+ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/",
+ "alertRuleTemplateName": "f0be259a-34ac-4946-aa15-ca2b115d5feb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 35baa4ecde2aa157b61cefdae653a74c1c3f2ff0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:10 +0000
Subject: [PATCH 237/375] Exported file: Password spray attack against Azure AD
application.json.json
---
...y attack against Azure AD application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
diff --git a/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
new file mode 100644
index 00000000..a50426ef
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup \n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Password spray attack against Azure AD application",
+ "enabled": false,
+ "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "48607a29-a26a-4abf-8078-a06dbdd174a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb965fe1c619d5ca6c8d3e8f983a5531b65d1279 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:10 +0000
Subject: [PATCH 238/375] Exported file: Port Scan Detected.json.json
---
.../Port Scan Detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Port Scan Detected.json
diff --git a/SentinelExported-AnalyticsRule/Port Scan Detected.json b/SentinelExported-AnalyticsRule/Port Scan Detected.json
new file mode 100644
index 00000000..9aee9b63
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Port Scan Detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\"\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\n| where dcount_Dst_Port > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Port Scan Detected",
+ "enabled": false,
+ "description": "This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.",
+ "alertRuleTemplateName": "427e4c9e-8cf4-4094-a684-a2d060dbca38"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 092da9c84cca9b15617702a457ec46098caea13c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:11 +0000
Subject: [PATCH 239/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Oct 2020.json.json
---
...pted credential harvesting - Oct 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
new file mode 100644
index 00000000..90a1a987
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Oct 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.",
+ "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5ff678b33ddccc18e64044dea42aa3bdbe86ac3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:12 +0000
Subject: [PATCH 240/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Sept 2020.json.json
---
...ted credential harvesting - Sept 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
new file mode 100644
index 00000000..a0d47cdb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Sept 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.",
+ "alertRuleTemplateName": "04384937-e927-4595-8f3c-89ff58ed231f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e205e71758892f2aaf8260f13259ff39cc8bb8d5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:13 +0000
Subject: [PATCH 241/375] Exported file: Possible contact with a domain
generated by a DGA.json.json
---
...tact with a domain generated by a DGA.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
diff --git a/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
new file mode 100644
index 00000000..15c28f10
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet triThreshold = 500;\nlet startTime = 6h;\nlet dgaLengthThreshold = 8;\n// fetch the alexa top 1M domains\nlet top1M = (externaldata (Position:int, Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with (format=\"csv\", zipPattern=\"*.csv\"));\n// extract tri grams that are above our threshold - i.e. are common\nlet triBaseline = top1M\n| extend Domain = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain))\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", Domain), extract_all(\"(...)\", substring(Domain, 1)), extract_all(\"(...)\", substring(Domain, 2)))\n| mvexpand Trigram=AllTriGrams\n| summarize triCount=count() by tostring(Trigram)\n| sort by triCount desc\n| where triCount > triThreshold\n| distinct Trigram;\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\nlet allDataSummarized = CommonSecurityLog\n| where TimeGenerated > ago(startTime)\n| where isnotempty(DestinationHostName)\n| extend Name = tolower(DestinationHostName)\n| distinct Name\n| where Name has \".\"\n| where Name !endswith \".home\" and Name !endswith \".lan\"\n// extract DGA candidate\n| extend DGADomain = extract(\"([^.]*).{0,7}$\", 1, Name)\n| where strlen(DGADomain) > dgaLengthThreshold\n// throw out domains with number in them\n| where DGADomain matches regex \"^[A-Za-z]{0,}$\"\n// extract the tri grams from summarized data\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", DGADomain), extract_all(\"(...)\", substring(DGADomain, 1)), extract_all(\"(...)\", substring(DGADomain, 2)));\n// throw out domains that have repeating tri's and/or >=3 repeating letters\nlet nonRepeatingTris = allDataSummarized\n| join kind=leftanti\n(\n allDataSummarized\n | mvexpand AllTriGrams\n | summarize count() by tostring(AllTriGrams), DGADomain\n | where count_ > 1\n | distinct DGADomain\n)\non DGADomain;\n// find domains that do not have a common tri in the baseline\nlet dataWithRareTris = nonRepeatingTris\n| join kind=leftanti\n(\n nonRepeatingTris\n | mvexpand AllTriGrams\n | extend Trigram = tostring(AllTriGrams)\n | distinct Trigram, DGADomain\n | join kind=inner\n (\n triBaseline\n )\n on Trigram\n | distinct DGADomain\n)\non DGADomain;\ndataWithRareTris\n// join DGAs back on connection data\n| join kind=inner\n(\n CommonSecurityLog\n | where TimeGenerated > ago(startTime)\n | where isnotempty(DestinationHostName)\n | extend DestinationHostName = tolower(DestinationHostName)\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\n)\non Name\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Possible contact with a domain generated by a DGA",
+ "enabled": false,
+ "description": "Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.",
+ "alertRuleTemplateName": "4acd3a04-2fad-4efc-8a4b-51476594cec4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2e2fac3b22170b001fb144da7996c24497b56300 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:13 +0000
Subject: [PATCH 242/375] Exported file: Potential Build Process Compromise -
MDE.json.json
---
...ential Build Process Compromise - MDE.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
new file mode 100644
index 00000000..7ddfad51
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([]);\nDeviceProcessEvents\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where FileName has_any (build_processes)\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nDeviceFileEvents\n| where TimeGenerated > ago(timeframe)\n| where InitiatingProcessFileName !in (allow_list)\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n// Look for code files, edit this to include file extensions used in build.\n| where FileName endswith \".cs\" or FileName endswith \".cpp\"\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, DeviceName\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=DeviceName, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise - MDE",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "1bf6e165-5e32-420e-ab4f-0da8558a8be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b12066c5128c9c1728556ae160d36bd11acd96a0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:14 +0000
Subject: [PATCH 243/375] Exported file: Potential Build Process
Compromise.json.json
---
.../Potential Build Process Compromise.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
new file mode 100644
index 00000000..5e33be49
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([\"\"]);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where EventID == 4688\n| where Process has_any (build_processes)\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for file modifications to code file\n| where EventID == 4663\n| where Process !in (allow_list)\n// Look for code files, edit this to include file extensions used in build.\n| where ObjectName endswith \".cs\" or ObjectName endswith \".cpp\"\n// 0x6 and 0x4 for file append, 0x100 for file replacements\n| where AccessMask == \"0x6\" or AccessMask == \"0x4\" or AccessMask == \"0X100\"\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, Computer\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=Computer, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "5ef06767-b37c-4818-b035-47de950d0046"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69aebacaa825b0a57e7be4605c96c76120ea2ad9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:15 +0000
Subject: [PATCH 244/375] Exported file: Potential DGA detected
(ASimDNS).json.json
---
.../Potential DGA detected (ASimDNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
new file mode 100644
index 00000000..c02a471f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let referencestarttime = 10d;\nlet referenceendtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \n {imDns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\n | where DnsQueryTypeName in (\"A\", \"AAAA\")\n | where ipv4_is_match(\"127.0.0.1\", SrcIpAddr) == False\n | where DnsQuery !contains \"/\" and DnsQuery contains \".\"};\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold\n // Filter out previously seen IPs\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold ) on SrcIpAddr\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected (ASimDNS)",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)'",
+ "alertRuleTemplateName": "983a6922-894d-413c-9f04-d7add0ecc307"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef1494d9bafc5d9afed030aff91b612fffebc995 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:16 +0000
Subject: [PATCH 245/375] Exported file: Potential DGA detected.json.json
---
.../Potential DGA detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected.json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected.json b/SentinelExported-AnalyticsRule/Potential DGA detected.json
new file mode 100644
index 00000000..9a4f96e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = DnsEvents \n| where ResultCode == 3 \n| where QueryType in (\"A\", \"AAAA\")\n| where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !contains \"/\"\n| where Name contains \".\";\nnxDomainDnsEvents\n| where TimeGenerated > ago(endtime)\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen IPs\n| join kind=leftanti (nxDomainDnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | extend sld = tostring(split(Name, \".\")[-2])\n | summarize dcount(sld) by ClientIP\n | where dcount_sld > threshold ) on ClientIP\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).",
+ "alertRuleTemplateName": "a0907abe-6925-4d90-af2b-c7e89dc201a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0b2ceb5df4592938ca7471c3fa0f63df63110afd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:17 +0000
Subject: [PATCH 246/375] Exported file: Potential DHCP Starvation
Attack.json.json
---
.../Potential DHCP Starvation Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
new file mode 100644
index 00000000..f7eac851
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1000;\nInfobloxNIOS\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential DHCP Starvation Attack",
+ "enabled": false,
+ "description": "This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.",
+ "alertRuleTemplateName": "57e56fc9-417a-4f41-a579-5475aea7b8ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d5cf964094964c4eabc1bf803a16375a39764594 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:17 +0000
Subject: [PATCH 247/375] Exported file: Potential Kerberoasting.json.json
---
.../Potential Kerberoasting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Kerberoasting.json
diff --git a/SentinelExported-AnalyticsRule/Potential Kerberoasting.json b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
new file mode 100644
index 00000000..93218cde
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold = 15;\nlet Kerbevent =\nSecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769\n| parse EventData with * 'TicketEncryptionType\">' TicketEncryptionType \"<\" *\n| where TicketEncryptionType == '0x17'\n| parse EventData with * 'TicketOptions\">' TicketOptions \"<\" *\n| where TicketOptions == '0x40810000'\n| parse EventData with * 'Status\">' Status \"<\" *\n| where Status == '0x0'\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\" \n| parse EventData with * 'TargetUserName\">' TargetUserName \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| parse EventData with * 'IpAddress\">::ffff:' ClientIPAddress \"<\" *;\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h < prev23hThreshold;\nlet Kerbevent1h = \nKerbevent\n| where TimeGenerated >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\nKerbevent1h \n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, TargetDomainName\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\n| where ServiceNameCountPrev1h > prev1hThreshold\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\"\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Kerberoasting",
+ "enabled": false,
+ "description": "A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.",
+ "alertRuleTemplateName": "1572e66b-20a7-4012-9ec4-77ec4b101bc8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3982a6643b69a77543c234cec93f88435d5e1245 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:18 +0000
Subject: [PATCH 248/375] Exported file: Potential Password Spray Attack (Uses
Authentication Normalization).json.json
---
...k (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
new file mode 100644
index 00000000..3fc7a639
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n , Users = make_set(TargetUserId,100) \n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b227606f81100ee12be326c9b3a56b0c64f02fbf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:19 +0000
Subject: [PATCH 249/375] Exported file: Potential Password Spray
Attack.json.json
---
.../Potential Password Spray Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
new file mode 100644
index 00000000..ac884a34
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack",
+ "alertRuleTemplateName": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ac3ae87a03a7132161257046ba5f50a8e0fe9d91 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:20 +0000
Subject: [PATCH 250/375] Exported file: Powershell Empire cmdlets seen in
command line.json.json
---
...l Empire cmdlets seen in command line.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
diff --git a/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
new file mode 100644
index 00000000..1a6df223
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet regexEmpire = @\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\$Volume){\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\(\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\";\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nlet decodedPS = ProcessCreationEvents\n| where CommandLine contains \" -encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\n(decodedPS\n| union \n(ProcessCreationEvents\n| where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\")\n| where CommandLine !contains \"-encodedcommand\")\n| extend StartTimeUtc = TimeGenerated\n)\n| where CommandLine matches regex regexEmpire\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Powershell Empire cmdlets seen in command line",
+ "enabled": false,
+ "description": "Identifies instances of PowerShell Empire cmdlets in powershell process command line data.",
+ "alertRuleTemplateName": "ef88eb96-861c-43a0-ab16-f3835a97c928"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 424b14c1064f531b7b97459f89c1cdc72dde92c2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:20 +0000
Subject: [PATCH 251/375] Exported file: Privileged Accounts - Sign in Failure
Spikes.json.json
---
...ged Accounts - Sign in Failure Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
new file mode 100644
index 00000000..da1e5f2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\nIdentityInfo\n| where AssignedRoles contains \"Admin\"\n| mv-expand AssignedRoles\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\n| where Roles contains \"Admin\"\n| distinct Roles, AccountUPN\n| join kind=inner (\n // Failed Signins attempts with reasoning related to MFA.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n) on $left.AccountUPN == $right.UserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, Roles, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Accounts - Sign in Failure Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
+ "alertRuleTemplateName": "34c5aff9-a8c2-4601-9654-c7e46342d03b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 63b0c61054a179fa9d7c5d7d03cb7117568d1c94 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:21 +0000
Subject: [PATCH 252/375] Exported file: Privileged Role Assigned Outside
PIM.json.json
---
.../Privileged Role Assigned Outside PIM.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
new file mode 100644
index 00000000..c112b51e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName =~ 'Add member to role (permanent)'\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Role Assigned Outside PIM",
+ "enabled": false,
+ "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "269435e3-1db8-4423-9dfc-9bf59997da1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 72a1f0a06b03cbbf0a470e50f6f4284f10fe397d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:22 +0000
Subject: [PATCH 253/375] Exported file: Probable AdFind Recon Tool Usage
(Normalized Process Events).json.json
---
...ool Usage (Normalized Process Events).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
new file mode 100644
index 00000000..e9ccfb0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 85b4c60bd635951b13b13577ce6907d93c145bae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:23 +0000
Subject: [PATCH 254/375] Exported file: Probable AdFind Recon Tool
Usage.json.json
---
.../Probable AdFind Recon Tool Usage.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
new file mode 100644
index 00000000..06834d6f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nDeviceProcessEvents\n//looks for execution from a shell\n| where InitiatingProcessFileName in (parentProcesses)\n// main filter\n| where FileName =~ \"AdFind.exe\" or SHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or ProcessCommandLine has_any (args)\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.",
+ "alertRuleTemplateName": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 09d3142b75bd5bf3708e0563eb6320c180089213 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:23 +0000
Subject: [PATCH 255/375] Exported file: Process executed from binary hidden in
Base64 encoded file.json.json
---
... binary hidden in Base64 encoded file.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
diff --git a/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
new file mode 100644
index 00000000..73cfa20b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents;\n};\nProcessCreationEvents \n| where CommandLine contains \".decode('base64')\"\n or CommandLine contains \"base64 --decode\"\n or CommandLine contains \".decode64(\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Process executed from binary hidden in Base64 encoded file",
+ "enabled": false,
+ "description": "Encoding malicious software is a technique used to obfuscate files from detection. \nThe first CommandLine component is looking for Python decoding base64. \nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64.",
+ "alertRuleTemplateName": "d6190dde-8fd2-456a-ac5b-0a32400b0464"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 63b68ffa1beb07198fd1179476fbbd5884febc48 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:24 +0000
Subject: [PATCH 256/375] Exported file: Process execution frequency
anomaly.json.json
---
.../Process execution frequency anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
new file mode 100644
index 00000000..c225444e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 5;\nlet ExeList = dynamic([\"powershell.exe\",\"cmd.exe\",\"wmic.exe\",\"psexec.exe\",\"cacls.exe\",\"rundll.exe\"]);\nlet TimeSeriesData =\nSecurityEvent\n| where EventID == 4688 | extend Process = tolower(Process)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where Process in (ExeList)\n| project TimeGenerated, Computer, AccountType, Account, Process\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project Process, TimeGenerated, Total, baseline, anomalies, score\n| where Total > TotalEventsThreshold);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\nSecurityEvent\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| where EventID == 4688 | extend Process = tolower(Process)\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\n) on Process, TimeGenerated\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Process execution frequency anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.",
+ "alertRuleTemplateName": "2c55fe7a-b06f-4029-a5b9-c54a2320d7b8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8291c3746a5d2a95945893cf2c2010c77e044e4f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:25 +0000
Subject: [PATCH 257/375] Exported file: ProofpointPOD - Binary file in
attachment.json.json
---
...fpointPOD - Binary file in attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
new file mode 100644
index 00000000..d7979346
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Binary file in attachment",
+ "enabled": false,
+ "description": "Detects when email recieved with binary file as attachment.",
+ "alertRuleTemplateName": "eb68b129-5f17-4f56-bf6d-dde48d5e615a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff2520f9ff36aba59416fca8ea439b5eb615a69a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:26 +0000
Subject: [PATCH 258/375] Exported file: ProofpointPOD - Email sender IP in TI
list.json.json
---
...pointPOD - Email sender IP in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
new file mode 100644
index 00000000..56d78c38
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcIpAddr)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\n )\non $left.TI_ipEntity == $right.ClientIP\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender IP in TI list",
+ "enabled": false,
+ "description": "Email sender IP in TI list.",
+ "alertRuleTemplateName": "78979d32-e63f-4740-b206-cfb300c735e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9cc406df722923bb529ae8adbe603d7c1d6485f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:26 +0000
Subject: [PATCH 259/375] Exported file: ProofpointPOD - Email sender in TI
list.json.json
---
...oofpointPOD - Email sender in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
new file mode 100644
index 00000000..15e29453
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcUserUpn)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n \n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender in TI list",
+ "enabled": false,
+ "description": "Email sender in TI list.",
+ "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 495ae5199aed6fcb1c00989a2b6aa6eb6f51c88f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:27 +0000
Subject: [PATCH 260/375] Exported file: ProofpointPOD - High risk message not
discarded.json.json
---
...POD - High risk message not discarded.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
new file mode 100644
index 00000000..40125ada
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - High risk message not discarded",
+ "enabled": false,
+ "description": "Detects when email with high risk score was not rejected or discarded by filters.",
+ "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5f58715c6fe7cb9f14547a492220f63c75ad9c9e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:28 +0000
Subject: [PATCH 261/375] Exported file: ProofpointPOD - Multiple archived
attachments to the same recipient.json.json
---
...ved attachments to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
new file mode 100644
index 00000000..f4c3e6c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple archived attachments to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails where sent to the same recipient with large archived attachments.",
+ "alertRuleTemplateName": "bda5a2bd-979b-4828-a91f-27c2a5048f7f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From afc9fde135c95b328ea2fca64044245870790ba3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:29 +0000
Subject: [PATCH 262/375] Exported file: ProofpointPOD - Multiple large emails
to the same recipient.json.json
---
...le large emails to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
new file mode 100644
index 00000000..51b6a7ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet msgszthreshold = 3000000;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where NetworkBytes > msgszthreshold\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple large emails to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails with lage size where sent to the same recipient.",
+ "alertRuleTemplateName": "d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9526022068673ef54cbf4e05f57c99953482e1f2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:29 +0000
Subject: [PATCH 263/375] Exported file: ProofpointPOD - Multiple protected
emails to unknown recipient.json.json
---
...protected emails to unknown recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
new file mode 100644
index 00000000..46b01c27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet lbperiod = 14d;\nlet knownrecipients = ProofpointPOD\n| where TimeGenerated > ago(lbperiod)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where SrcUserUpn != ''\n| where array_length(todynamic(DstUserUpn)) == 1\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\n| extend commcol = SrcUserUpn;\nProofpointPOD\n| where TimeGenerated between (ago(lbtime) .. now())\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\n| join knownrecipients on commcol\n| where recipients !contains DstUserMail\n| project SrcUserUpn, DstUserMail\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple protected emails to unknown recipient",
+ "enabled": false,
+ "description": "Detects when multiple protected messages where sent to early not seen recipient.",
+ "alertRuleTemplateName": "f8127962-7739-4211-a4a9-390a7a00e91f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 64d91507d4feec955f04342f8285da956df2a6a0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:30 +0000
Subject: [PATCH 264/375] Exported file: ProofpointPOD - Possible data
exfiltration to private email.json.json
---
...le data exfiltration to private email.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
new file mode 100644
index 00000000..41839953
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where array_length(todynamic(DstUserUpn)) == 1\n| extend sender = extract(@'\\A(.*?)@', 1, SrcUserUpn)\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\n| extend recipient = extract(@'\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\n| where sender =~ recipient\n| where sender_domain != recipient_domain\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Possible data exfiltration to private email",
+ "enabled": false,
+ "description": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.",
+ "alertRuleTemplateName": "aedc5b33-2d7c-42cb-a692-f25ef637cbb1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bbf2d50fd9ef1f497be6c004a8edcfb2c4ec951a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:31 +0000
Subject: [PATCH 265/375] Exported file: ProofpointPOD - Suspicious
attachment.json.json
---
...ProofpointPOD - Suspicious attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
new file mode 100644
index 00000000..92580185
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\n| where attachedExt in (disallowed_ext)\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Suspicious attachment",
+ "enabled": false,
+ "description": "Detects when email contains suspicious attachment (file type).",
+ "alertRuleTemplateName": "f6a51e2c-2d6a-4f92-a090-cfb002ca611f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8233a30f4b6623b45dc93e1bc3aa6cbdfb9b2e88 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:32 +0000
Subject: [PATCH 266/375] Exported file: ProofpointPOD - Weak ciphers.json.json
---
.../ProofpointPOD - Weak ciphers.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
new file mode 100644
index 00000000..bc4737a2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 1h;\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\nProofpointPOD\n| where EventType == 'message'\n| where TlsCipher in (tls_ciphers)\n| extend IpCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "ProofpointPOD - Weak ciphers",
+ "enabled": false,
+ "description": "Detects when weak TLS ciphers are used.",
+ "alertRuleTemplateName": "56b0a0cd-894e-4b38-a0a1-c41d9f96649a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e5f493ffd9b3e6c23cc32fe4cf9bf7652a7817d2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:33 +0000
Subject: [PATCH 267/375] Exported file: PulseConnectSecure - Large Number of
Distinct Failed User Logins.json.json
---
...Number of Distinct Failed User Logins.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
new file mode 100644
index 00000000..ddd791b4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
+ "enabled": false,
+ "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
+ "alertRuleTemplateName": "1fa1528e-f746-4794-8a41-14827f4cb798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e80a8e8a7099a3b806d334b753e70e3375797198 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:34 +0000
Subject: [PATCH 268/375] Exported file: PulseConnectSecure - Potential Brute
Force Attempts.json.json
---
...cure - Potential Brute Force Attempts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
new file mode 100644
index 00000000..09ccf3d3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
+ "enabled": false,
+ "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
+ "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0500883b80b7c14eccab52203a3efeed6bfc184a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:34 +0000
Subject: [PATCH 269/375] Exported file: RDP Nesting.json.json
---
.../RDP Nesting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/RDP Nesting.json
diff --git a/SentinelExported-AnalyticsRule/RDP Nesting.json b/SentinelExported-AnalyticsRule/RDP Nesting.json
new file mode 100644
index 00000000..93ec5a16
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/RDP Nesting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda14730-b43b-4099-a785-6145306928b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda14730-b43b-4099-a785-6145306928b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\nlet threshold = 5;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the first RDP connection time, computer and ip\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \n| join kind=inner (\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the second RDP connection time, computer and ip\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\n) on Account\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\n// where the second hop occurs within 30 minutes of the first hop\n| where SecondHop <= FirstHop+30m\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\n| where ComputerCount >= threshold\n| mvexpand set_Computer\n| extend Computer = toupper(set_Computer)\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "RDP Nesting",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \nto another system with the same account within the 60 minutes. Additionally, if historically daily \nRDP connections are indicated by the logged EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "69a45b05-71f5-45ca-8944-2e038747fb39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 52257ab50def06fc6fff825a69dba5a30045c86a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:35 +0000
Subject: [PATCH 270/375] Exported file: Rare RDP Connections.json.json
---
.../Rare RDP Connections.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare RDP Connections.json
diff --git a/SentinelExported-AnalyticsRule/Rare RDP Connections.json b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
new file mode 100644
index 00000000..84ec8eb1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where EventID == 4624\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\n) on Account, Computer\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Rare RDP Connections",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "45b903c5-6f56-4969-af10-ae62ac709718"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 631c5026f148f10218c256cd34cff2027a359c05 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:36 +0000
Subject: [PATCH 271/375] Exported file: Rare and potentially high-risk Office
operations.json.json
---
...tentially high-risk Office operations.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
diff --git a/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
new file mode 100644
index 00000000..ee48f951
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nOfficeActivity\n| where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\")\nand not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare and potentially high-risk Office operations",
+ "enabled": false,
+ "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.",
+ "alertRuleTemplateName": "957cb240-f45d-4491-9ba5-93430a3c08be"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db82d366ae4bc38ad968451e52095a4fbc292812 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:37 +0000
Subject: [PATCH 272/375] Exported file: Rare application consent.json.json
---
.../Rare application consent.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare application consent.json
diff --git a/SentinelExported-AnalyticsRule/Rare application consent.json b/SentinelExported-AnalyticsRule/Rare application consent.json
new file mode 100644
index 00000000..66f56236
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare application consent.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed. \n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are \n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold\n;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| parse TargetResources.[0].modifiedProperties with * \"ConsentType: \" ConsentType \"]\" *\n| mv-expand AdditionalDetails\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "LateralMovement",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare application consent",
+ "enabled": false,
+ "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae9a564badd58c095fba751e65463e768d3b25e0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:37 +0000
Subject: [PATCH 273/375] Exported file: Rare client observed with high reverse
DNS lookup count.json.json
---
...ed with high reverse DNS lookup count.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
diff --git a/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
new file mode 100644
index 00000000..d4f3d8ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents \n| where TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \n| join kind=leftanti (DnsEvents \n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | where Name contains \"in-addr.arpa\" \n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | where dcount_Name > threshold\n | project ClientIP , dcount_Name \n) on ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Rare client observed with high reverse DNS lookup count",
+ "enabled": false,
+ "description": "Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.",
+ "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fed9595fd925fb579bacc2d76be96d5667e21211 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:38 +0000
Subject: [PATCH 274/375] Exported file: Rare subscription-level operations in
Azure.json.json
---
...ubscription-level operations in Azure.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
new file mode 100644
index 00000000..9d3c1cd9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet SensitiveOperationList = dynamic([\"microsoft.compute/snapshots/write\", \"microsoft.network/networksecuritygroups/write\", \"microsoft.storage/storageaccounts/listkeys/action\"]);\nlet SensitiveActivity = AzureActivity\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \"listkeys/action\"\n| where ActivityStatusValue =~ \"Succeeded\";\nSensitiveActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \nSensitiveActivity\n| where TimeGenerated >= ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \nby CallerIpAddress, Caller, OperationNameValue\n) on CallerIpAddress, Caller, OperationNameValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Rare subscription-level operations in Azure",
+ "enabled": false,
+ "description": "This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \n to dump hashes or extract sensitive information from the disk.",
+ "alertRuleTemplateName": "23de46ea-c425-4a77-b456-511ae4855d69"
+ }
+ }
+ ]
+}
\ No newline at end of file
From be901eb5a735ba7696dae6c77a07887e3dccf6e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:39 +0000
Subject: [PATCH 275/375] Exported file: Request for single resource on
domain.json.json
---
...Request for single resource on domain.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Request for single resource on domain.json
diff --git a/SentinelExported-AnalyticsRule/Request for single resource on domain.json b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
new file mode 100644
index 00000000..edbd74c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet scriptExtensions = dynamic([\".php\", \".aspx\", \".asp\", \".cfml\"]);\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\nlet uriThreshold = 1;\nCommonSecurityLog\n// Only look at connections that were allowed through the web proxy\n| where DeviceVendor =~ \"Zscaler\" and DeviceAction =~ \"Allowed\"\n// Only look where some data was exchanged.\n| where SentBytes > 0 and ReceivedBytes > 0\n// Extract the Domain\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\n| extend GetData=iff(RequestURL == \"?\", 1, 0)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\n// Determine the number of URIs that have been visited for the domain\n| extend destinationURI = arraylength(list_RequestURL)\n| where destinationURI <= uriThreshold\n| where tostring(list_RequestURL) has_any(scriptExtensions)\n//Remove matches with referer\n| where max_RequestContext == \"\"\n//Keep requests where data was trasferred either in a GET with parameters or a POST\n| where set_RequestMethod in~ (\"POST\") or max_GetData == 1\n//Defeat email click tracking, may increase FN's while decreasing FP's\n| where list_RequestURL !has \"click\" and set_RequestMethod !has \"GET\"\n| mvexpand list_RequestURL, list_DestinationIP\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\n//Extend custom entitites for incidents\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Request for single resource on domain",
+ "enabled": false,
+ "description": "This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.",
+ "alertRuleTemplateName": "4d500e6d-c984-43a3-9f39-7edec8dcc04d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 035ac937048797bab2da876439cd5f1408e2da18 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:40 +0000
Subject: [PATCH 276/375] Exported file: SOURGUM Actor IOC - July
2021.json.json
---
.../SOURGUM Actor IOC - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
new file mode 100644
index 00000000..67959ccf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\n (union isfuzzy=true\n(CommonSecurityLog\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\n| parse Message with * '(' DNSName ')' *\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\n| extend Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\n),\n(DnsEvents\n| where Name in~ (domains)\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DNSName = Name, Host = Computer , Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where Image has_any (file_path1) or Image has_any (file_path3)\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'\n), \n(DeviceNetworkEvents\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = 'SOURGUM IOC detected', UrlCustomEntity =RemoteUrl\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = 'SOURGUM IOC detected'\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"]\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source), Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n),\n(DeviceRegistryEvents\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceProcessEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceFileEvents\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend CommandLine = InitiatingProcessCommandLine, Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SOURGUM Actor IOC - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
+ "alertRuleTemplateName": "94749332-1ad9-49dd-a5ab-5ff2170788fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4ebb42dfb4c8faf5b89a8a7a080fc5902e80b12d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:41 +0000
Subject: [PATCH 277/375] Exported file: SSH - Potential Brute Force.json.json
---
.../SSH - Potential Brute Force.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
diff --git a/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
new file mode 100644
index 00000000..97991578
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 15;\nSyslog\n| where SyslogMessage contains \"Failed password for invalid user\"\n| where ProcessName =~ \"sshd\" \n| parse kind=relaxed SyslogMessage with * \"invalid user\" user \" from \" ip \" port\" port \" ssh2\"\n| project user, ip, port, SyslogMessage, EventTime\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\n| where PerHourCount > threshold\n| mvexpand EventTimes\n| extend EventTimes = tostring(EventTimes) \n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\n| extend UserList = tostring(UserList) \n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SSH - Potential Brute Force",
+ "enabled": false,
+ "description": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.",
+ "alertRuleTemplateName": "e1ce0eab-10d1-4aae-863f-9a383345ba88"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7be33760cf5c818f684fbd6fd4ffa83706d8f852 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:41 +0000
Subject: [PATCH 278/375] Exported file: SUNBURST and SUPERNOVA backdoor hashes
(Normalized File Events).json.json
---
...kdoor hashes (Normalized File Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
new file mode 100644
index 00000000..49eef9f4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nimFileEvent\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = User, \n HostCustomEntity = DvcHostname,\n FileHashCustomEntity = TargetFileMD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "bc5ffe2a-84d6-48fe-bc7b-1055100469bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb645d8eb59f8510f65c1d4de8c6024ff4b601e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:42 +0000
Subject: [PATCH 279/375] Exported file: SUNBURST and SUPERNOVA backdoor
hashes.json.json
---
...UNBURST and SUPERNOVA backdoor hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
new file mode 100644
index 00000000..93fabf1d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nDeviceFileEvents\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "a3c144f9-8051-47d4-ac29-ffb0c312c910"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 488149f97d52efc93d44ce815e331aa83113ccf0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:43 +0000
Subject: [PATCH 280/375] Exported file: SUNBURST network beacons.json.json
---
.../SUNBURST network beacons.json | 96 +++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST network beacons.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST network beacons.json b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
new file mode 100644
index 00000000..be9feb5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
@@ -0,0 +1,96 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\",\"thedoccloud.com\",\"deftsecurity.com\"]);\nDeviceNetworkEvents\n| where ActionType == \"ConnectionSuccess\"\n| where RemoteUrl in(SunburstURL)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = InitiatingProcessMD5, \n HashAlgorithm = 'MD5',\n URLCustomEntity = RemoteUrl,\n IPCustomEntity = RemoteIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST network beacons",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "ce1e7025-866c-41f3-9b08-ec170e05e73e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e8079acab4d9479bd2d04b97701bfa5eeb7d00fc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:44 +0000
Subject: [PATCH 281/375] Exported file: SUNBURST suspicious SolarWinds child
processes (Normalized Process Events).json.json
---
...processes (Normalized Process Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
new file mode 100644
index 00000000..19087bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nimProcessCreate\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\n| where not(Process has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = ActorUsername,\n HostCustomEntity = User,\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)'",
+ "alertRuleTemplateName": "631d02df-ab51-46c1-8d72-32d0cfec0720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d988075a3f8bc1f9e6251558bcd8cfaaa611e404 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:45 +0000
Subject: [PATCH 282/375] Exported file: SUNBURST suspicious SolarWinds child
processes.json.json
---
...suspicious SolarWinds child processes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
new file mode 100644
index 00000000..ba56da8a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\n| where not(FolderPath has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "4a3073ac-7383-48a9-90a8-eb6716183a54"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ce03d9133d2325e6a2830eaf296149851c324442 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:46 +0000
Subject: [PATCH 283/375] Exported file: SUNSPOT log file creation.json.json
---
.../SUNSPOT log file creation.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
new file mode 100644
index 00000000..5010a7fc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT log file creation",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3609f15e51f24370812f4c03539d182b2cf1fa0d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:46 +0000
Subject: [PATCH 284/375] Exported file: SUNSPOT malware hashes.json.json
---
.../SUNSPOT malware hashes.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
new file mode 100644
index 00000000..ae9509a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT malware hashes",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 606a5faa217e22b4e46c31734ee0c2fb6263b521 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:47 +0000
Subject: [PATCH 285/375] Exported file: SUPERNOVA webshell.json.json
---
.../SUPERNOVA webshell.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
diff --git a/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
new file mode 100644
index 00000000..58eaf929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nW3CIISLog\n| where csMethod == 'GET'\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\n| where csUriStem contains \"logoimagehandler.ashx\"\n| where csUriQuery contains \"codes\" and csUriQuery contains \"clazz\" and csUriQuery contains \"method\" and csUriQuery contains \"args\"\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "SUPERNOVA webshell",
+ "enabled": false,
+ "description": "Identifies SUPERNOVA webshell based on W3CIISLog data.\n References:\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/",
+ "alertRuleTemplateName": "2acc91c3-17c2-4388-938e-4eac2d5894e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fea6aed913ba26fb5e1563db69cfc1f5a3378d3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:48 +0000
Subject: [PATCH 286/375] Exported file: Security Event log cleared.json.json
---
.../Security Event log cleared.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Event log cleared.json
diff --git a/SentinelExported-AnalyticsRule/Security Event log cleared.json b/SentinelExported-AnalyticsRule/Security Event log cleared.json
new file mode 100644
index 00000000..de1e55cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Event log cleared.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Event log cleared",
+ "enabled": false,
+ "description": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
+ "alertRuleTemplateName": "80da0a8f-cfe1-4cd0-a895-8bc1771a720e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3cb3e7a0f7a87b40933e0d6dd56c787141b1b186 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:49 +0000
Subject: [PATCH 287/375] Exported file: Security Service Registry ACL
Modification.json.json
---
...ity Service Registry ACL Modification.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
diff --git a/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
new file mode 100644
index 00000000..88f3794a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet servicelist = dynamic(['Services\\\\HealthService', 'Services\\\\Sense', 'Services\\\\WinDefend', 'Services\\\\MsSecFlt', 'Services\\\\DiagTrack', 'Services\\\\SgrmBroker', 'Services\\\\SgrmAgent', 'Services\\\\AATPSensorUpdater' , 'Services\\\\AATPSensor', 'Services\\\\mpssvc']);\nlet filename = dynamic([\"subinacl.exe\",'SetACL.exe']);\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\nlet timeframe = 1d;\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4670\n| where ObjectType == 'Key'\n| where ObjectName has_any (servicelist)\n| parse EventData with * 'OldSd\">' OldSd \"<\" *\n| parse EventData with * 'NewSd\">' NewSd \"<\" *\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\n),\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4688\n| extend ProcessName = tostring(split(NewProcessName, '\\\\')[-1])\n| where ProcessName in~ (filename) \n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessFileName in~ (filename) \n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Service Registry ACL Modification",
+ "enabled": false,
+ "description": "Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \n Reference on guidance for enabling registry auditing:\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\n - https://github.com/OTRF/Set-AuditRule \n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0",
+ "alertRuleTemplateName": "473d57e6-f787-435c-a16b-b38b51fa9a4b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fff0b6b4186ad5fbcaa87c1cbe7dc2116375eaea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:50 +0000
Subject: [PATCH 288/375] Exported file: SecurityEvent - Multiple
authentication failures followed by a success.json.json
---
...cation failures followed by a success.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
diff --git a/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
new file mode 100644
index 00000000..a237d536
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 6h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID == 4624 or EventID == 4625\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 5 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by Account asc, TimeGenerated asc\n| serialize \n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome \n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mvexpand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SecurityEvent - Multiple authentication failures followed by a success",
+ "enabled": false,
+ "description": "Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\npossible mis-configuration of a service account within an environment.\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a success for an account within 1 hour to surface an alert.",
+ "alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f4f5c778c0c036ec24b38acde42e10bbc8da1e79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:50 +0000
Subject: [PATCH 289/375] Exported file: Sensitive Azure Key Vault
operations.json.json
---
.../Sensitive Azure Key Vault operations.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
diff --git a/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
new file mode 100644
index 00000000..7c838929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet SensitiveOperationList = dynamic(\n[\"VaultDelete\", \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", \"KeyBackup\"]);\nAzureDiagnostics\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\" \n| where OperationName in~ (SensitiveOperationList) \n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Sensitive Azure Key Vault operations",
+ "enabled": false,
+ "description": "Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \nAny Backup operations should match with expected scheduled backup activity.",
+ "alertRuleTemplateName": "d6491be0-ab2d-439d-95d6-ad8ea39277c5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2fc9ec88b9b55d991b08d149168b88a68b0ea35b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:51 +0000
Subject: [PATCH 290/375] Exported file: Several deny actions
registered.json.json
---
.../Several deny actions registered.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Several deny actions registered.json
diff --git a/SentinelExported-AnalyticsRule/Several deny actions registered.json b/SentinelExported-AnalyticsRule/Several deny actions registered.json
new file mode 100644
index 00000000..780cdb88
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Several deny actions registered.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1;\nAzureDiagnostics\n | where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n | extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n | extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n | extend msg_a = split(msg_s_replaced1,\" \")\n | extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\n | where action == \"Deny\"\n | extend url = iff(destIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",destIp)\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\n | where count_ >= [\"threshold\"]\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Several deny actions registered",
+ "enabled": false,
+ "description": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.",
+ "alertRuleTemplateName": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 421d1fb5facc7dc555734f918bb0f1d1354674f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:52 +0000
Subject: [PATCH 291/375] Exported file: SharePointFileOperation via devices
with previously unseen user agents.json.json
---
...es with previously unseen user agents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
new file mode 100644
index 00000000..890b9771
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where TimeGenerated > ago(endtime)\n| where isnotempty(UserAgent)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\n| order by recentCount desc, UserAgent\n// More than 5 downloads/uploads from a new user agent today\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated > ago(endtime) \n| where RecordType =~ szSharePointFileOperation \n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| join kind= inner (RareUserAgent)\non UserAgent, RecordType, Operation \n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via devices with previously unseen user agents",
+ "enabled": false,
+ "description": "Identifies if the number of documents uploaded or downloaded from device(s) associated\nwith a previously unseen user agent exceeds a threshold (default is 5).",
+ "alertRuleTemplateName": "5dd76a87-9f87-4576-bab3-268b0e2b338b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ce91488a6e3c8e418f275db04fb6e9e46c6bb895 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:53 +0000
Subject: [PATCH 292/375] Exported file: SharePointFileOperation via previously
unseen IPs.json.json
---
...leOperation via previously unseen IPs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
new file mode 100644
index 00000000..379ae7e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\n// More than 50 downloads/uploads from a new IP\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated >= ago(endtime) \n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via previously unseen IPs",
+ "enabled": false,
+ "description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 50).",
+ "alertRuleTemplateName": "4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0e6de71da26630632b12314447c0fcb3d4a6eab8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:54 +0000
Subject: [PATCH 293/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
new file mode 100644
index 00000000..0124366b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/595b910c-156b-4a20-996e-06c50a217133')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/595b910c-156b-4a20-996e-06c50a217133')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n , applicationsTargeted = dcount(TargetAppName)\n , applicationSet = make_set(TargetAppName) \n by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n imAuthentication\n | where EventResult=='Success'\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9838a1f57afa551756b423a8dc75161a17c4467d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:55 +0000
Subject: [PATCH 294/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts.json.json
---
...attempt sign-ins to disabled accounts.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
new file mode 100644
index 00000000..e4ffdb36
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \napplicationSet = make_set(AppDisplayName) by IPAddress, Type\n| order by disabledAccountLoginAttempts desc\n| join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n table(tableName)\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n) on IPAddress \n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 752099437f31a97793ff9009b82344b540ec9f4c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:55 +0000
Subject: [PATCH 295/375] Exported file: Solorigate Defender
Detections.json.json
---
.../Solorigate Defender Detections.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
new file mode 100644
index 00000000..d2be50b9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where ThreatName has \"Solorigate\"\n| extend HostCustomEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.HostCustomEntity\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Defender Detections",
+ "enabled": false,
+ "description": "Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.",
+ "alertRuleTemplateName": "e70fa6e0-796a-4e85-9420-98b17b0bb749"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6374a0a504bb9f9f84523149a7cbd7f749621913 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:56 +0000
Subject: [PATCH 296/375] Exported file: Solorigate Domains Found in VM
Insights.json.json
---
...lorigate Domains Found in VM Insights.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
new file mode 100644
index 00000000..9ca5d68d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Domains Found in VM Insights",
+ "enabled": false,
+ "description": "Identifies connections to Solorigate-related DNS records based on VM insights data",
+ "alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f4fc14748d4c80077824e12e20b051f5f7fa8b2f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:57 +0000
Subject: [PATCH 297/375] Exported file: Solorigate Named Pipe.json.json
---
.../Solorigate Named Pipe.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
new file mode 100644
index 00000000..3567c779
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n(union isfuzzy=true\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend PipeName = column_ifexists(\"PipeName\", \"\")\n| extend Account = UserName\n),\n(\n SecurityEvent\n| where EventID == '5145'\n// %%4418 looks for presence of CreatePipeInstance value \n| where AccessList has '%%4418' \n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Named Pipe",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
+ "alertRuleTemplateName": "11b4c19d-2a79-4da3-af38-b067e1273dee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b64e87deef7c27a7202c089ba86231654363c3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:58 +0000
Subject: [PATCH 298/375] Exported file: Solorigate Network Beacon.json.json
---
.../Solorigate Network Beacon.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
new file mode 100644
index 00000000..5d0d4c2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns (domain_has_any=domains)\n | extend DNSName = DnsQuery\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Network Beacon",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1",
+ "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff87c344a05d1bd5a335c5eb503c1a3aef911c60 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:59 +0000
Subject: [PATCH 299/375] Exported file: Squid proxy events for ToR
proxies.json.json
---
.../Squid proxy events for ToR proxies.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
new file mode 100644
index 00000000..54cd03c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == \"200\"\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events for ToR proxies",
+ "enabled": false,
+ "description": "Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "90d3f6ec-80fb-48e0-9937-2c70c9df9bad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9e2c4e62fdfa9da6b7b97f73154492e3932a6eb7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:18:59 +0000
Subject: [PATCH 300/375] Exported file: Squid proxy events related to mining
pools.json.json
---
... proxy events related to mining pools.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
new file mode 100644
index 00000000..bc4e34de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \"xmrget.com\", \n\"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \"supportxmr.com\",\n\"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \"gntl.co.uk\", \"semipool.com\", \n\"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \"coinpoolit.webhop.me\", \"nanopool.org\", \n\"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \"extrmepool.org\", \"webcoin.me\", \n\"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \"dwarfpool.com\", \"hash-to-coins.com\", \n\"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \"moneropool.ru\", \"cryptonotepool.org.uk\",\n\"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\",\n\"shscrypto.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == '200'\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events related to mining pools",
+ "enabled": false,
+ "description": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "80733eb7-35b2-45b6-b2b8-3c51df258206"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ba12c2a48b95379e2ae149918f3a0e4853745a43 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:00 +0000
Subject: [PATCH 301/375] Exported file: Starting or Stopping HealthService to
Avoid Detection.json.json
---
...ping HealthService to Avoid Detection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
diff --git a/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
new file mode 100644
index 00000000..6ff4834f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4656\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\n| extend ObjectServer = column_ifexists('ObjectServer', \"\"), ObjectType = column_ifexists('ObjectType', \"\"), ObjectName = column_ifexists('ObjectName', \"\")\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\n| where ObjectServer =~ \"SC Manager\" and ObjectType =~ \"SERVICE OBJECT\" and ObjectName =~ \"HealthService\"\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \"NU.\"\n| join kind=leftouter (\n SecurityEvent\n | where EventID == 4624\n) on TargetLogonId\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Starting or Stopping HealthService to Avoid Detection",
+ "enabled": false,
+ "description": "This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\n The query requires a SACL to audit for access request to the service.",
+ "alertRuleTemplateName": "2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 79ad47895bb978b85d6d862999fbb51bbd7c8c6d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:01 +0000
Subject: [PATCH 302/375] Exported file: Successful SSH brute force
attack.json.json
---
.../Successful SSH brute force attack.json | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
diff --git a/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
new file mode 100644
index 00000000..f5336b5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
@@ -0,0 +1,104 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "Usage\r\n| extend User1 = \"Bob\"\r\n| extend User2 = \"Bill\"\r\n| extend Host1 = \"DC01\"\r\n| extend Host2 = \"Web-DMZ01\"\r\n| extend IP = \"185.32.177.53\"\r\n| take 1\r\n",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": true,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host1"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host2"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User1"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User2"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IP"
+ }
+ ]
+ }
+ ],
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": null,
+ "alertDescriptionFormat": "Analysis of host data has detected a successful brute force attack. The IP {{IP}} was seen making multiple login attempts. This means that the host may be compromised and controlled by a malicious actor.",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful SSH brute force attack",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From d999197b03669f25c1525e9e235a068db5efb69d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:02 +0000
Subject: [PATCH 303/375] Exported file: Successful logon from IP and failure
from a different IP.json.json
---
...om IP and failure from a different IP.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
diff --git a/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
new file mode 100644
index 00000000..4b8645f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet logonDiff = 10m;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where ResultType == \"0\" \n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1]), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\") \n | where ResultDescription !~ \"Other\" \n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\n) on UserPrincipalName, AppDisplayName \n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful logon from IP and failure from a different IP",
+ "enabled": false,
+ "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.",
+ "alertRuleTemplateName": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e764bbb6b0d45946c50a3d6e2131a26ebb64b65e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:03 +0000
Subject: [PATCH 304/375] Exported file: Suspicious Resource
deployment.json.json
---
.../Suspicious Resource deployment.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
new file mode 100644
index 00000000..5f4e2cf8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet szOperationNames = dynamic([\"Microsoft.Compute/virtualMachines/write\", \"Microsoft.Resources/deployments/write\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| where TimeGenerated > ago(endtime)\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Resource deployment",
+ "enabled": false,
+ "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
+ "alertRuleTemplateName": "9fb57e58-3ed8-4b89-afcf-c8e786508b1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 59de7c7bc209a45f2c4afc42395533eef2cfc73c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:04 +0000
Subject: [PATCH 305/375] Exported file: Suspicious Service Principal creation
activity.json.json
---
...s Service Principal creation activity.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
new file mode 100644
index 00000000..dbc7eb1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let timeframe = 60m;\nlet lookback = 10m;\nlet account_created =\nAuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\nAADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\nAuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\nAuditLogs\n | where OperationName contains \"Update application - Certificates and secrets management\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\nAuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n |summarize make_list(AssignedRoles) by AppID;\naccount_created \n | join kind= inner (account_activity) on AppID, AppID \n | join kind= inner (account_deleted) on AppID, AppID \n | join kind= inner (account_credentials) on AppID, AppID \n | join kind= inner (roles_assigned) on AppID, AppID\n | where deletionTime - creationTime < lookback\n | where tolong(deletionTime - creationTime) >= 0\n | where creationTime > ago(timeframe)\n | extend AliveTime = deletionTime - creationTime\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "PrivilegeEscalation",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Service Principal creation activity",
+ "enabled": false,
+ "description": "This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)",
+ "alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a17f2eceaf4218befe4480b5ac15d3bc28333f08 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:05 +0000
Subject: [PATCH 306/375] Exported file: Suspicious application consent for
offline access.json.json
---
...pplication consent for offline access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
new file mode 100644
index 00000000..7478c516
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"offline_access\" and ConsentFull contains \"Files.Read\" or ConsentFull contains \"Mail.Read\" or ConsentFull contains \"Notes.Read\" or ConsentFull contains \"ChannelMessage.Read\" or ConsentFull contains \"Chat.Read\" or ConsentFull contains \"TeamsActivity.Read\" or ConsentFull contains \"Group.Read\" or ConsentFull contains \"EWS.AccessAsUser.All\" or ConsentFull contains \"EAS.AccessAsUser.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent for offline access",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "3533f74c-9207-4047-96e2-0eb9383be587"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98154cc4998e55ae3a20d619b4827c23814f2ebe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:06 +0000
Subject: [PATCH 307/375] Exported file: Suspicious application consent similar
to O365 Attack Toolkit.json.json
---
...onsent similar to O365 Attack Toolkit.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
new file mode 100644
index 00000000..b43857d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"mailboxsettings\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"contacts.read\" and ConsentFull contains \"user.read\" and ConsentFull contains \"mail.read\" and ConsentFull contains \"notes.read.all\" and ConsentFull contains \"mailboxsettings.readwrite\" and ConsentFull contains \"Files.ReadWrite.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", tostring(AdditionalDetails[0].value), \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "f948a32f-226c-4116-bddd-d95e91d97eb9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cedc1b10365e83d14e824e7ab202ff220356b4d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:06 +0000
Subject: [PATCH 308/375] Exported file: Suspicious application consent similar
to PwnAuth.json.json
---
...pplication consent similar to PwnAuth.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
new file mode 100644
index 00000000..cd0527f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"user.read\" and ConsentFull contains \"offline_access\" and ConsentFull contains \"mail.readwrite\" and ConsentFull contains \"mail.send\" and ConsentFull contains \"files.read.all\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to PwnAuth",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "39198934-62a0-4781-8416-a81265c03fd6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1e7f4df6a1f2cb83540ba07ff7c9a3609633ea7e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:07 +0000
Subject: [PATCH 309/375] Exported file: Suspicious granting of permissions to
an account.json.json
---
...granting of permissions to an account.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
new file mode 100644
index 00000000..e8e3617d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| where OperationNameValue =~ \"microsoft.authorization/roleassignments/write\";\ncreateRoleAssignmentActivity \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\n) on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious granting of permissions to an account",
+ "enabled": false,
+ "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.",
+ "alertRuleTemplateName": "b2c15736-b9eb-4dae-8b02-3016b6a45a32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e7d78ab0b707e3c0526ed0c181f2b97b68addb53 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:08 +0000
Subject: [PATCH 310/375] Exported file: Suspicious link sharing
pattern.json.json
---
.../Suspicious link sharing pattern.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
new file mode 100644
index 00000000..5cc525ae
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 3; \nZoomLogs \n| where Event =~ \"chat_message.sent\" \n| extend Channel = tostring(parse_json(ChatEvents).Channel) \n| extend Message = tostring(parse_json(ChatEvents).Message) \n| where Message matches regex \"http(s?):\\\\/\\\\/\" \n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\n| extend ChannelCount = arraylength(Channels) \n| where ChannelCount > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious link sharing pattern",
+ "enabled": false,
+ "description": "Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.",
+ "alertRuleTemplateName": "1218175f-c534-421c-8070-5dcaabf28067"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1055cdeaf3b4ec0ff1d522eaddeb5cc0bc7c5c23 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:09 +0000
Subject: [PATCH 311/375] Exported file: Suspicious number of resource creation
or deployment activities.json.json
---
...rce creation or deployment activities.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
new file mode 100644
index 00000000..96915b2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet szOperationNames = dynamic([\"microsoft.compute/virtualMachines/write\", \"microsoft.resources/deployments/write\"]);\nlet starttime = 7d;\nlet endtime = 1d;\nAzureActivity\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2\n| join kind=leftsemi (\n// Last day's activity is anomalous\nAzureActivity\n| where TimeGenerated >= startofday(ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2 \n) on Caller, CallerIpAddress \n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious number of resource creation or deployment activities",
+ "enabled": false,
+ "description": "Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\nThe start of the day is considered 12am UTC time.",
+ "alertRuleTemplateName": "361dd1e3-1c11-491e-82a3-bb2e44ac36ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 86c0e117205fd97626fc5f71a23e0aea79579c49 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:09 +0000
Subject: [PATCH 312/375] Exported file: TEARDROP memory-only dropper.json.json
---
.../TEARDROP memory-only dropper.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
diff --git a/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
new file mode 100644
index 00000000..846ccdaf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "TEARDROP memory-only dropper",
+ "enabled": false,
+ "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "738702fd-0a66-42c7-8586-e30f0583f8fe"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5992b3ac024c1ccc6309d6c3475831f3393d6ca Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:10 +0000
Subject: [PATCH 313/375] Exported file: THALLIUM domains included in DCU
takedown.json.json
---
...LIUM domains included in DCU takedown.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
diff --git a/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
new file mode 100644
index 00000000..06378b01
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost \n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "THALLIUM domains included in DCU takedown",
+ "enabled": false,
+ "description": "THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ",
+ "alertRuleTemplateName": "70b12a3b-4896-42cb-910c-5ffaf8d7987d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 34003c756ca15b3778aedcf5da82abe9e33a8cf4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:11 +0000
Subject: [PATCH 314/375] Exported file: TI map Domain entity to
CommonSecurityLog.json.json
---
...ap Domain entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
new file mode 100644
index 00000000..9f942723
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "dd0a6029-ecef-4507-89c4-fc355ac52111"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 91259338f82ab55a8c6261186166a6a65174bda2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:12 +0000
Subject: [PATCH 315/375] Exported file: TI map Domain entity to
DnsEvent.json.json
---
.../TI map Domain entity to DnsEvent.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
new file mode 100644
index 00000000..eeb3f542
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.Name\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to DnsEvent",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvent table from any Domain IOC from TI",
+ "alertRuleTemplateName": "85aca4d1-5d15-4001-abd9-acb86ca1786a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 96dbb737d3e502237a422563b5f30cc9832e90b7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:12 +0000
Subject: [PATCH 316/375] Exported file: TI map Domain entity to
PaloAlto.json.json
---
.../TI map Domain entity to PaloAlto.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
new file mode 100644
index 00000000..32541d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to PaloAlto",
+ "enabled": false,
+ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "ec21493c-2684-4acd-9bc2-696dbad72426"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b02d24ddf546f5033f0a351d04d648f01e67bca1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:13 +0000
Subject: [PATCH 317/375] Exported file: TI map Domain entity to
SecurityAlert.json.json
---
...TI map Domain entity to SecurityAlert.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
new file mode 100644
index 00000000..71a2d372
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n //Extract domain patterns from message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\", 1, tolower(Entities))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column extract hostname and IP address\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n) on $left.DomainName==$right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
+ "alertRuleTemplateName": "87890d78-3e05-43ec-9ab9-ba32f4e01250"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fe1674836158892d00fe0f00ce5bf7f9c9cbf9ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:14 +0000
Subject: [PATCH 318/375] Exported file: TI map Domain entity to
Syslog.json.json
---
.../TI map Domain entity to Syslog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
new file mode 100644
index 00000000..45bfae87
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to Syslog",
+ "enabled": false,
+ "description": "Identifies a match in Syslog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 94da16711be7a81e0ac216d91bfccc0177bf4a86 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:15 +0000
Subject: [PATCH 319/375] Exported file: TI map Email entity to
AzureActivity.json.json
---
.../TI map Email entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
new file mode 100644
index 00000000..87307357
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \nResourceGroup, SubscriptionId\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "cca3b4d9-ac39-4109-8b93-65bb284003e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1c79327927da199f49aaabda524143770228e10f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:16 +0000
Subject: [PATCH 320/375] Exported file: TI map Email entity to
CommonSecurityLog.json.json
---
...map Email entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
new file mode 100644
index 00000000..dd6cb3d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
+ "alertRuleTemplateName": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f5cbf866be12ce1a097ed862aefb7f1d3ae788b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:17 +0000
Subject: [PATCH 321/375] Exported file: TI map Email entity to
OfficeActivity.json.json
---
...TI map Email entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
new file mode 100644
index 00000000..1f3aee6d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 61b2779697b80bfe8396d981c04d8dd6875e2601 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:18 +0000
Subject: [PATCH 322/375] Exported file: TI map Email entity to
SecurityAlert.json.json
---
.../TI map Email entity to SecurityAlert.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
new file mode 100644
index 00000000..e93dc3e4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert \n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
+ "alertRuleTemplateName": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6c9a87dbee4a28b2799c9e6774d0fe754e8fb8d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:19 +0000
Subject: [PATCH 323/375] Exported file: TI map Email entity to
SecurityEvent.json.json
---
.../TI map Email entity to SecurityEvent.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
new file mode 100644
index 00000000..9040d0eb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend TargetUserName = tolower(TargetUserName)\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\n | extend SecurityEvent_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityEvent",
+ "enabled": false,
+ "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
+ "alertRuleTemplateName": "2fc5d810-c9cc-491a-b564-841427ae0e50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6d28c8e3b98a54c20de04853a0cdcf8e4ed655f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:19 +0000
Subject: [PATCH 324/375] Exported file: TI map Email entity to
SigninLogs.json.json
---
.../TI map Email entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
new file mode 100644
index 00000000..90b58046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
+ "alertRuleTemplateName": "30fa312c-31eb-43d8-b0cc-bcbdfb360822"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b173fe47fdb8841a31d5fd33022043727ce8a0c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:20 +0000
Subject: [PATCH 325/375] Exported file: TI map File Hash to CommonSecurityLog
Event.json.json
---
... File Hash to CommonSecurityLog Event.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
new file mode 100644
index 00000000..87ccc2ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
+ "alertRuleTemplateName": "5d33fc63-b83b-4913-b95e-94d13f0d379f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 484b8f99372ec2bf786fd243499fc9d5e37e2509 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:21 +0000
Subject: [PATCH 326/375] Exported file: TI map File Hash to Security
Event.json.json
---
.../TI map File Hash to Security Event.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
new file mode 100644
index 00000000..ea816559
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to Security Event",
+ "enabled": false,
+ "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
+ "alertRuleTemplateName": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 024c9afd5e62895a0879340bf372094a6c503d79 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:22 +0000
Subject: [PATCH 327/375] Exported file: TI map IP entity to
AWSCloudTrail.json.json
---
.../TI map IP entity to AWSCloudTrail.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
new file mode 100644
index 00000000..fb100404
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "enabled": false,
+ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
+ "alertRuleTemplateName": "f110287e-1358-490d-8147-ed804b328514"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 139637675dcb0e79d4164ead0fe349300a0639d6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:23 +0000
Subject: [PATCH 328/375] Exported file: TI map IP entity to
AppServiceHTTPLogs.json.json
---
...I map IP entity to AppServiceHTTPLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
new file mode 100644
index 00000000..1ecbb4dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n // renaming time column so it is clear the log this came from\n | extend AppService_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CIp\n| where AppService_TimeGenerated < ExpirationDateTime\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "enabled": false,
+ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f9949656-473f-4503-bf43-a9d9890f7d08"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 961d8e5e16b75bb12685c2e69600fb4e2c294b5c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:23 +0000
Subject: [PATCH 329/375] Exported file: TI map IP entity to Azure Key Vault
logs.json.json
---
...map IP entity to Azure Key Vault logs.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
new file mode 100644
index 00000000..30687ab8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n)\non $left.TI_ipEntity == $right.ClientIP\n| where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n| extend timestamp = KeyVaultEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure Key Vault logs",
+ "enabled": false,
+ "description": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI",
+ "alertRuleTemplateName": "57c7e832-64eb-411f-8928-4133f01f4a25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 988eb83e9be91eb8e4e3ad07997b06f93b21be7a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:24 +0000
Subject: [PATCH 330/375] Exported file: TI map IP entity to Azure SQL Security
Audit Events.json.json
---
...ty to Azure SQL Security Audit Events.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
new file mode 100644
index 00000000..c6db79c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\"), Action = column_ifexists(\"action_name_s\", \"Not Available\"), \n Application = column_ifexists(\"application_name_s\", \"Not Available\"), HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n)\non $left.TI_ipEntity == $right.ClientIP\n| where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure SQL Security Audit Events",
+ "enabled": false,
+ "description": "Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 16c328687153d74ead4e978a877f40fa2ee5f393 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:25 +0000
Subject: [PATCH 331/375] Exported file: TI map IP entity to
AzureActivity.json.json
---
.../TI map IP entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
new file mode 100644
index 00000000..3cc5e808
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "2441bce9-02e4-407b-8cc7-7d597f38b8b0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a725cd12352d81148107e52148eeb2b01baa260e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:26 +0000
Subject: [PATCH 332/375] Exported file: TI map IP entity to
AzureFirewall.json.json
---
.../TI map IP entity to AzureFirewall.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
new file mode 100644
index 00000000..d28e4d71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\n | where isnotempty(RemoteIP)\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where AzureFirewall_TimeGenerated < ExpirationDateTime\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureFirewall",
+ "enabled": false,
+ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
+ "alertRuleTemplateName": "0b904747-1336-4363-8d84-df2710bfe5e7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef4a801606203632882a45676b1d9b7592e694f0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:27 +0000
Subject: [PATCH 333/375] Exported file: TI map IP entity to
AzureNetworkAnalytics_CL (NSG Flow Logs).json.json
---
...reNetworkAnalytics_CL (NSG Flow Logs).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
new file mode 100644
index 00000000..aa067349
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == \"A\"\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "enabled": false,
+ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
+ "alertRuleTemplateName": "a4025a76-6490-4e6b-bb69-d02be4b03f07"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 84fb0894c5c5fd6707adbdd8d14fd404700b53ec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:28 +0000
Subject: [PATCH 334/375] Exported file: TI map IP entity to
DnsEvents.json.json
---
.../TI map IP entity to DnsEvents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
new file mode 100644
index 00000000..867984dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to DnsEvents",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "69b7723c-2889-469f-8b55-a2d355ed9c87"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c3daa45a0c7d9e9d284a5a4532ef14040d4dc2fb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:28 +0000
Subject: [PATCH 335/375] Exported file: TI map IP entity to Duo
Security.json.json
---
.../TI map IP entity to Duo Security.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
new file mode 100644
index 00000000..83f1a1ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Duo Security",
+ "enabled": false,
+ "description": "Identifies a match in DuoSecurity from any IP IOC from TI",
+ "alertRuleTemplateName": "d23ed927-5be3-4902-a9c1-85f841eb4fa1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 97b48d53a27ea9301993cc4db7fd256e3e79ceec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:29 +0000
Subject: [PATCH 336/375] Exported file: TI map IP entity to
GitHub_CL.json.json
---
.../TI map IP entity to GitHub_CL.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
new file mode 100644
index 00000000..09aeb7aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to GitHub_CL",
+ "enabled": false,
+ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI",
+ "alertRuleTemplateName": "aac495a9-feb1-446d-b08e-a1164a539452"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5695020782c5d308cae422065cb924166faed073 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:30 +0000
Subject: [PATCH 337/375] Exported file: TI map IP entity to
OfficeActivity.json.json
---
.../TI map IP entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
new file mode 100644
index 00000000..78721a0a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "f15370f4-c6fa-42c5-9be4-1d308f40284e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5f99527d6c036ddef28afe84b592eb61f0a19dd9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:31 +0000
Subject: [PATCH 338/375] Exported file: TI map IP entity to
SigninLogs.json.json
---
.../TI map IP entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
new file mode 100644
index 00000000..d42c80cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f2eb15bd-8a88-4b24-9281-e133edfba315"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4093ccf88dea24afd371f65ea6771ea6b0b2cc92 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:31 +0000
Subject: [PATCH 339/375] Exported file: TI map IP entity to
VMConnection.json.json
---
.../TI map IP entity to VMConnection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
new file mode 100644
index 00000000..6144c2fa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| where VMConnection_TimeGenerated < ExpirationDateTime\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to VMConnection",
+ "enabled": false,
+ "description": "Identifies a match in VMConnection from any IP IOC from TI",
+ "alertRuleTemplateName": "9713e3c0-1410-468d-b79e-383448434b2d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e9dfffcce47d2562f6998c5941aa2e66afc2926a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:32 +0000
Subject: [PATCH 340/375] Exported file: TI map IP entity to
W3CIISLog.json.json
---
.../TI map IP entity to W3CIISLog.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
new file mode 100644
index 00000000..2d186704
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n // renaming time column so it is clear the log this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.cIP\n| where W3CIISLog_TimeGenerated < ExpirationDateTime\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to W3CIISLog",
+ "enabled": false,
+ "description": "Identifies a match in W3CIISLog from any IP IOC from TI",
+ "alertRuleTemplateName": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 80a58e899eeec33f78d1f6be2a64073664a138f2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:33 +0000
Subject: [PATCH 341/375] Exported file: TI map IP entity to WireData.json.json
---
.../TI map IP entity to WireData.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
new file mode 100644
index 00000000..a8cbfc13
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n WireData | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(RemoteIP)\n // renaming time column so it is clear the log this came from\n | extend WireData_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where WireData_TimeGenerated < ExpirationDateTime\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to WireData",
+ "enabled": false,
+ "description": "Identifies a match in WireData from any IP IOC from TI",
+ "alertRuleTemplateName": "a50766a7-0674-4ccb-8845-15dc55a80ba1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd64a39d7cde9d93c07db35b9311e55247beae08 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:34 +0000
Subject: [PATCH 342/375] Exported file: TI map URL entity to
AuditLogs.json.json
---
.../TI map URL entity to AuditLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
new file mode 100644
index 00000000..0db2b994
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to AuditLogs",
+ "enabled": false,
+ "description": "Identifies a match in AuditLogs from any URL IOC from TI",
+ "alertRuleTemplateName": "712fab52-2a7d-401e-a08c-ff939cc7c25e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 46366e7fc72cd09adc70f0eba5bc993537926c88 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:35 +0000
Subject: [PATCH 343/375] Exported file: TI map URL entity to OfficeActivity
data.json.json
---
...map URL entity to OfficeActivity data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
new file mode 100644
index 00000000..03f38954
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to OfficeActivity data",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity data from any URL IOC from TI",
+ "alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2cbaf6ac0ebfa9d864350a415c2a590aeb2ade05 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:35 +0000
Subject: [PATCH 344/375] Exported file: TI map URL entity to PaloAlto
data.json.json
---
.../TI map URL entity to PaloAlto data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
new file mode 100644
index 00000000..c1250d23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to PaloAlto data",
+ "enabled": false,
+ "description": "Identifies a match in PaloAlto data from any URL IOC from TI",
+ "alertRuleTemplateName": "106813db-679e-4382-a51b-1bfc463befc3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7662254b2304c45fa678e0443263eed214233071 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:36 +0000
Subject: [PATCH 345/375] Exported file: TI map URL entity to SecurityAlert
data.json.json
---
... map URL entity to SecurityAlert data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
new file mode 100644
index 00000000..1349ea09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,Entities)\n // We only want alerts that actually contain URL data\n | where isnotempty(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to SecurityAlert data",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert data from any URL IOC from TI",
+ "alertRuleTemplateName": "f30a47c1-65fb-42b1-a7f4-00941c12550b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dd518984748a4c28b2acac487194c14227f377f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:37 +0000
Subject: [PATCH 346/375] Exported file: TI map URL entity to Syslog
data.json.json
---
.../TI map URL entity to Syslog data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
new file mode 100644
index 00000000..1d5cd75b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to Syslog data",
+ "enabled": false,
+ "description": "Identifies a match in Syslog data from any URL IOC from TI",
+ "alertRuleTemplateName": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 852c5968e8e04780f4c4d609acb398bd182e0cae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:38 +0000
Subject: [PATCH 347/375] Exported file: Threats detected by Eset.json.json
---
.../Threats detected by Eset.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Threats detected by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Threats detected by Eset.json b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
new file mode 100644
index 00000000..f18c55d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "CredentialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Threats detected by Eset",
+ "enabled": false,
+ "description": "Escalates threats detected by Eset.",
+ "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6e2082a6c265ffa9ea5177c7e8170fc4ed46b65f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:39 +0000
Subject: [PATCH 348/375] Exported file: Time series anomaly detection for
total volume of traffic.json.json
---
...detection for total volume of traffic.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
new file mode 100644
index 00000000..959377cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet percentotalthreshold = 50;\nlet TimeSeriesData = CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\n// Filtering specific records associated with spikes as outliers\nlet TimeSeriesAlerts=materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\n| extend AnomalyHour = TimeGeneratedHour\n) on AnomalyHour, DeviceVendor\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\n| where PercentTotal > percentotalthreshold\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly detection for total volume of traffic",
+ "enabled": false,
+ "description": "Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "06a9b845-6a95-4432-a78b-83919b28c375"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd335c2ea64eda0a45224a21aecea88e1cdbbd9d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:39 +0000
Subject: [PATCH 349/375] Exported file: Time series anomaly for data size
transferred to public internet.json.json
---
...a size transferred to public internet.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
new file mode 100644
index 00000000..c701785c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet bytessentperhourthreshold = 10;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet TimeSeriesData = (union isfuzzy=true\n(\nVMConnection\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| project TimeGenerated, BytesSent, DeviceVendor\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n),\n(\nCommonSecurityLog\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| project TimeGenerated, SentBytes, DeviceVendor\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n)\n);\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n//Union of all BaseLogs aggregated per hour\nlet BaseLogs = (union isfuzzy=true\n(\nCommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n),\n(\nVMConnection\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n)\n);\n// Join against base logs to retrive records associated with the hour of anomoly\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\n) on DeviceVendor, AnomalyHour | sort by score desc\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly for data size transferred to public internet",
+ "enabled": false,
+ "description": "Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "f2dd4a3a-ebac-4994-9499-1a859938c947"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1c3ddc754340e28d41490f460d25caa058176ad2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:40 +0000
Subject: [PATCH 350/375] Exported file: Trust Monitor Event.json.json
---
.../Trust Monitor Event.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Trust Monitor Event.json
diff --git a/SentinelExported-AnalyticsRule/Trust Monitor Event.json b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
new file mode 100644
index 00000000..66054f76
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeframe = ago(5m);\nDuoSecurityTrustMonitor_CL\n| where TimeGenerated >= timeframe\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Trust Monitor Event",
+ "enabled": false,
+ "description": "This query identifies when a new trust monitor event is detected.",
+ "alertRuleTemplateName": "8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1247cce9a5c00c33deaa6561b57b8665f35a071c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:41 +0000
Subject: [PATCH 351/375] Exported file: User Accessed Suspicious URL
Categories.json.json
---
...er Accessed Suspicious URL Categories.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
diff --git a/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
new file mode 100644
index 00000000..079df84a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "User Accessed Suspicious URL Categories",
+ "enabled": false,
+ "description": "Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.",
+ "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 286711357994d3ffbf8da2f4f3b92c5dd8d26268 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:41 +0000
Subject: [PATCH 352/375] Exported file: User Accounts - Sign in Failure due to
CA Spikes.json.json
---
...ts - Sign in Failure due to CA Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
diff --git a/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
new file mode 100644
index 00000000..39dd9a72
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\n| project TimeGenerated, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Accounts - Sign in Failure due to CA Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5cf5440d76bbcd186607b2704a7e4d70888a3d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:42 +0000
Subject: [PATCH 353/375] Exported file: User Assigned Privileged
Role.json.json
---
.../User Assigned Privileged Role.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
diff --git a/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
new file mode 100644
index 00000000..27d37b55
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "User Assigned Privileged Role",
+ "enabled": false,
+ "description": "Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "050b9b3d-53d0-4364-a3da-1b678b8211ec"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c9c92c241c786abc97e2b040c42afa216ecd5a3f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:43 +0000
Subject: [PATCH 354/375] Exported file: User Login from Different Countries
within 3 hours.json.json
---
...om Different Countries within 3 hours.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
diff --git a/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
new file mode 100644
index 00000000..0835b8b6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Login from Different Countries within 3 hours",
+ "enabled": false,
+ "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours",
+ "alertRuleTemplateName": "2954d424-f786-4677-9ffc-c24c44c6e7d5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f8deb385338e3484258cdd6ed41f334e6ef2b0c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:44 +0000
Subject: [PATCH 355/375] Exported file: User account added to built in domain
local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
new file mode 100644
index 00000000..721fa067
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nSecurityEvent \n// When MemberName contains '-' this indicates addition of a group to a group\n| where AccountType == \"User\" and MemberName != \"-\"\n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group\n| where EventID in (4728, 4732, 4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\",OU|,CN\") - 3)\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a user account has been added to a privileged built in domain local group or global group \nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.",
+ "alertRuleTemplateName": "a35f2c18-1b97-458f-ad26-e033af18eb99"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b5ce3935c57532ecb72e3cf11c7f4292d78bbd1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:45 +0000
Subject: [PATCH 356/375] Exported file: User account created and deleted
within 10 mins.json.json
---
...nt created and deleted within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
new file mode 100644
index 00000000..c2087015
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was created\n| where EventID == 4720\n| where AccountType =~ \"User\"\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was deleted\n | where EventID == 4726\n| where AccountType == \"User\"\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where deletionTime - creationTime < spanoftime\n| extend TimeDelta = deletionTime - creationTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account created and deleted within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "4b93c5af-d20b-4236-b696-a28b8c51407f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a78217d0a81f36e698573520cd0320974e023b33 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:45 +0000
Subject: [PATCH 357/375] Exported file: User account enabled and disabled
within 10 mins.json.json
---
...t enabled and disabled within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
new file mode 100644
index 00000000..e20a7721
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was enabled\n| where EventID == 4722\n| where AccountType =~ \"User\"\n| where TargetAccount !hassuffix \"$\"\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was disabled\n | where EventID == 4725\n| where AccountType =~ \"User\"\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where DisableTime - EnableTime < spanoftime\n| extend TimeDelta = DisableTime - EnableTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account enabled and disabled within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "3d023f64-8225-41a2-9570-2bd7c2c4535e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb4c4f5c3d3ee6f9abf15d12f23387f99ad80b9b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:46 +0000
Subject: [PATCH 358/375] Exported file: User added to Azure Active Directory
Privileged Groups.json.json
---
...re Active Directory Privileged Groups.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
diff --git a/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
new file mode 100644
index 00000000..7ef1fb82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-expand TargetResources\n| extend modProps = parse_json(TargetResources).modifiedProperties\n| mv-expand bagexpansion=array modProps\n| evaluate bag_unpack(modProps)\n| extend displayName = column_ifexists(\"displayName\", \"NotAvailable\"), newValue = column_ifexists(\"newValue\", \"NotAvailable\")\n| where displayName =~ \"Role.WellKnownObjectName\"\n| extend DisplayName = displayName, GroupName = replace('\"','',newValue)\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\n| extend AppId = initByApp.appId, \nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \"not available\"),\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\nUserId = initByUser.id,\nUserIPAddress = initByUser.ipAddress,\nUserRoles = initByUser.roles,\nUserPrincipalName = tostring(initByUser.userPrincipalName),\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \"not available\")\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User added to Azure Active Directory Privileged Groups",
+ "enabled": false,
+ "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+ "alertRuleTemplateName": "4d94d4a9-dc96-410a-8dea-4d4d4584188b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b45cfc3aac0cdad8de0fd60413b156b7ce95993 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:47 +0000
Subject: [PATCH 359/375] Exported file: User agent search for log4j
exploitation attempt.json.json
---
...search for log4j exploitation attempt.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
diff --git a/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
new file mode 100644
index 00000000..c379ac60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(imWebSessions\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\n),\n(imNetworkSession\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User agent search for log4j exploitation attempt",
+ "enabled": false,
+ "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
+ "alertRuleTemplateName": "29283b22-a1c0-4d16-b0a9-3460b655a46a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 59cf4ab59fb04eb711dede86bef6720970f1e9d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:48 +0000
Subject: [PATCH 360/375] Exported file: User joining Zoom meeting from
suspicious timezone.json.json
---
...Zoom meeting from suspicious timezone.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
diff --git a/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
new file mode 100644
index 00000000..4cd66a44
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet schedule_lookback = 14d; \nlet join_lookback = 1d; \n// If you want to whitelist specific timezones include them in a list here\nlet tz_whitelist = dynamic([]);\nlet meetings = ( \nZoomLogs \n| where TimeGenerated >= ago(schedule_lookback) \n| where Event =~ \"meeting.created\" \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \nZoomLogs \n| where TimeGenerated >= ago(join_lookback) \n| where Event =~ \"meeting.participant_joined\" \n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| where JoinedTimeZone !in (tz_whitelist)\n| join (meetings) on MeetingId \n| where SchedTimezone != JoinedTimeZone \n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User joining Zoom meeting from suspicious timezone",
+ "enabled": false,
+ "description": "The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones",
+ "alertRuleTemplateName": "58fc0170-0877-4ea8-a9ff-d805e361cfae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 731c4743d11b54f4e5b96ba81520fce408439bc1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:48 +0000
Subject: [PATCH 361/375] Exported file: User login from different countries
within 3 hours (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
new file mode 100644
index 00000000..6bd39a50
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = ago(3h);\nlet threshold = 2;\nimAuthentication\n| where TimeGenerated > timeframe\n| where EventType=='Logon' and EventResult=='Success'\n| where isnotempty(SrcGeoCountry)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\n , NumOfCountries = dcount(SrcGeoCountry)\n by TargetUserId, TargetUsername, TargetUserType\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User login from different countries within 3 hours (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for successful user logins from different countries within 3 hours.\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "09ec8fa2-b25f-4696-bfae-05a7b85d7b9e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5cdb28720224861c060b2a228de311cd9c611afc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:49 +0000
Subject: [PATCH 362/375] Exported file: Users searching for VIP user
activity.json.json
---
...Users searching for VIP user activity.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
diff --git a/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
new file mode 100644
index 00000000..cd2e9241
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Users searching for VIP user activity",
+ "enabled": false,
+ "description": "This query monitors for users running Log Analytics queries that contain filters\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.",
+ "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ca617ae65ca3177a2dcfbc1662e403f9e2c4f2ae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:50 +0000
Subject: [PATCH 363/375] Exported file: Valid Analytic Rule 1.json.json
---
.../Valid Analytic Rule 1.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
diff --git a/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
new file mode 100644
index 00000000..809909b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "SecurityAlert",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": "alert name {{AlertName}}",
+ "alertDescriptionFormat": "DESC test {{Description}}",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "Valid Analytic Rule 1",
+ "enabled": true,
+ "description": "DESCRIPTION CHECK",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7e28751387fba193eab8331ba1fd8f20d9309d11 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:51 +0000
Subject: [PATCH 364/375] Exported file: Vectra AI Detect - Detections with
High Severity.json.json
---
...etect - Detections with High Severity.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
new file mode 100644
index 00000000..5276902f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Detections with High Severity",
+ "enabled": false,
+ "description": "Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.",
+ "alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a7640dc530e504058ce38b2daff2b6521eadfb12 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:52 +0000
Subject: [PATCH 365/375] Exported file: Vectra AI Detect - New Campaign
Detected.json.json
---
...tra AI Detect - New Campaign Detected.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
new file mode 100644
index 00000000..efaa9e94
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID contains \"campaign\"\n| where DeviceAction == \"START\"\n| extend reason = extract(\"reason=(.+?)$\", 1, AdditionalExtensions)\n| project-rename vectra_URL = DeviceCustomString4\n| project Activity,SourceHostName, reason, vectra_URL\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - New Campaign Detected",
+ "enabled": false,
+ "description": "Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.",
+ "alertRuleTemplateName": "a34d0338-eda0-42b5-8b93-32aae0d7a501"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8f2a392c3709217a447047bb5bfdbf6423dfbabe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:52 +0000
Subject: [PATCH 366/375] Exported file: Vectra AI Detect - Suspected
Compromised Account.json.json
---
...etect - Suspected Compromised Account.json | 74 +++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
new file mode 100644
index 00000000..e5c6ffe8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Account",
+ "enabled": false,
+ "description": "Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 27eccccd1bc8f958ddb2f6b803246352d2c28287 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:53 +0000
Subject: [PATCH 367/375] Exported file: Vectra AI Detect - Suspected
Compromised Host.json.json
---
...I Detect - Suspected Compromised Host.json | 83 +++++++++++++++++++
1 file changed, 83 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
new file mode 100644
index 00000000..05d83de4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
@@ -0,0 +1,83 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by SourceHostName\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Host",
+ "enabled": false,
+ "description": "Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6feff51fe43b53e9e914fdb7cb7c737c449f491f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:54 +0000
Subject: [PATCH 368/375] Exported file: Vectra AI Detect - Suspicious
Behaviors.json.json
---
...ctra AI Detect - Suspicious Behaviors.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
new file mode 100644
index 00000000..af7df314
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\" \n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename triaged = DeviceCustomString5\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity , Activity\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspicious Behaviors",
+ "enabled": false,
+ "description": "Create an incident for each new malicious behavior detected by Vectra Detect. \nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.",
+ "alertRuleTemplateName": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6ee12b71631ef9c3fce2d26034aa2e8ba0a6763a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:55 +0000
Subject: [PATCH 369/375] Exported file: Vulnerable Machines related to OMIGOD
CVE-2021-38647.json.json
---
...ines related to OMIGOD CVE-2021-38647.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
new file mode 100644
index 00000000..2f384871
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+ "alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b923b83d7dea789c5e7e605677b3fe04822b7a37 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:56 +0000
Subject: [PATCH 370/375] Exported file: Vulnerable Machines related to log4j
CVE-2021-44228.json.json
---
...hines related to log4j CVE-2021-44228.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
new file mode 100644
index 00000000..7586f07a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271",
+ "alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0c25d2c3be88ae540a91fb9f42de0b0cbcec3e92 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:57 +0000
Subject: [PATCH 371/375] Exported file: Wazuh - Large Number of Web errors
from an IP.json.json
---
...Large Number of Web errors from an IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
diff --git a/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
new file mode 100644
index 00000000..87204239
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog\n| where DeviceProduct =~ \"Wazuh\"\n| where Activity has \"Web server 400 error code.\"\n| where Message has \"403\"\n| extend HostName=substring(split(DeviceCustomString1,\")\")[0],1)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\n| where NumberOfErrors > 400\n| sort by NumberOfErrors desc\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Wazuh - Large Number of Web errors from an IP",
+ "enabled": false,
+ "description": "Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst",
+ "alertRuleTemplateName": "2790795b-7dba-483e-853f-44aa0bc9c985"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4d7462944173a196bf57148530c51be2782e190f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:57 +0000
Subject: [PATCH 372/375] Exported file: Web sites blocked by Eset.json.json
---
.../Web sites blocked by Eset.json | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
new file mode 100644
index 00000000..7722ffc8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
@@ -0,0 +1,88 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration",
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Web sites blocked by Eset",
+ "enabled": false,
+ "description": "Create alert on web sites blocked by Eset.",
+ "alertRuleTemplateName": "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d6a8a1464ef70be46499dc85838f9845ac3fc004 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:58 +0000
Subject: [PATCH 373/375] Exported file: Zoom E2E Encryption Disabled.json.json
---
.../Zoom E2E Encryption Disabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
new file mode 100644
index 00000000..e1fea2e8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend NewE2ESetting = columnifexists(\"payload_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| extend OldE2ESetting = columnifexists(\"payload_old_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Zoom E2E Encryption Disabled",
+ "enabled": false,
+ "description": "This alerts when end to end encryption is disabled for Zoom meetings.",
+ "alertRuleTemplateName": "e4779bdc-397a-4b71-be28-59e6a1e1d16b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 780ff48a37428b5994f6c436581bf23dbd580821 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:19:59 +0000
Subject: [PATCH 374/375] Exported file: new file added -- 2_14_2013.json.json
---
.../new file added -- 2_14_2013.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
diff --git a/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
new file mode 100644
index 00000000..07598ea9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583",
+ "T1586",
+ "T1584"
+ ],
+ "displayName": "new file added -- 2/14/2013",
+ "enabled": true,
+ "description": "new file added -- 2/14/2013",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From d77461f8d9f98a69996b4c8447b74b6d293a1bcf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:20:00 +0000
Subject: [PATCH 375/375] Exported file: new test rule 1.json.json
---
.../new test rule 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new test rule 1.json
diff --git a/SentinelExported-AnalyticsRule/new test rule 1.json b/SentinelExported-AnalyticsRule/new test rule 1.json
new file mode 100644
index 00000000..ed09e71a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new test rule 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": false,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "new test rule 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file