diff --git a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml index c566fa9457a..88ebd3a9bd0 100644 --- a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml @@ -1,8 +1,8 @@ id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b name: Accessed files shared by temporary external user description: | - 'This detection identifies an external user is added to a Team or Teams chat - and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + 'This detection identifies when an external user is added to a Team or Teams chat + and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.' severity: Low status: Available @@ -26,17 +26,17 @@ query: | OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "MemberAdded" - | extend UPN = tostring(parse_json(Members)[0].UPN) - | where UPN contains ("#EXT#") - | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName + | extend MemberAdded = tostring(parse_json(Members)[0].UPN) + | where MemberAdded contains ("#EXT#") + | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName | join kind = inner( OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "MemberRemoved" - | extend UPN = tostring(parse_json(Members)[0].UPN) - | where UPN contains ("#EXT#") - | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName - ) on UPN + | extend MemberAdded = tostring(parse_json(Members)[0].UPN) + | where MemberAdded contains ("#EXT#") + | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName + ) on MemberAdded | where TimeDeleted > TimeAdded | join kind=inner ( @@ -53,11 +53,13 @@ query: | | summarize FileAccessCount = count() by OfficeObjectId | where FileAccessCount > fileAccessThrehold ) on $left.OfficeObjectId == $right.OfficeObjectId - )on $left.UPN == $right.UserId - | extend AccountName = tostring(split(UserWhoAdded, "@")[0]), AccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1]) + )on $left.MemberAdded == $right.UserId + | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1]) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: MemberAdded - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -66,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml index b776dad6c5d..ac61dd90c3b 100644 --- a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml @@ -24,25 +24,31 @@ query: | | where Operation == Op | where Members has ("#EXT#") | mv-expand Members - | extend UPN = tostring(Members.UPN) - | where UPN has ("#EXT#") - | project TimeGenerated, Operation, UPN, UserId, TeamName + | extend MemberAdded = tostring(Members.UPN) + | where MemberAdded has ("#EXT#") + | project TimeGenerated, Operation, MemberAdded, UserId, TeamName, ClientIP }; let TeamsAdd = TeamsAddDel("MemberAdded") - | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName; + | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName, ClientIP; let TeamsDel = TeamsAddDel("MemberRemoved") - | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName; + | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName, ClientIP; TeamsAdd - | join kind=inner (TeamsDel) on UPN + | join kind=inner (TeamsDel) on MemberAdded | where TimeDeleted > TimeAdded - | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName - | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) + | project TimeAdded, TimeDeleted, MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP + | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1]) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: MemberAdded - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.1 + - entityType: IP + fieldMappings: + - identifier: Address + columnName: ClientIP +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml index a9ce19f8f8e..596b399cc81 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml @@ -37,6 +37,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -45,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml index 929c7b69545..d514a47c462 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml @@ -41,6 +41,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 2.0.3 +version: 2.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml index 1bc0cdf566d..4c9a7a3bdcb 100644 --- a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml @@ -25,15 +25,21 @@ query: | OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "TeamDeleted" - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId, ClientIP | where array_length(DeletedTeams) > max_delete_count | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.3 + - entityType: IP + fieldMappings: + - identifier: Address + columnName: ClientIP +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml index 5c388c08383..7ab5b6711a1 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml @@ -45,6 +45,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml index 029f1a5ad37..1e07de1a175 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml @@ -56,6 +56,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -72,5 +74,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileNames -version: 2.0.4 +version: 2.0.5 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index 54d5f473aa5..99565734694 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -27,6 +27,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -39,5 +41,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml index caec2539072..6e291983aa1 100644 --- a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml @@ -53,6 +53,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -65,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml index c6bfd83ec82..5199f2f99df 100644 --- a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml @@ -65,6 +65,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: UserIdName - identifier: UPNSuffix @@ -77,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.2.2 +version: 2.2.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml index dc37b2b7ff4..9220398fc76 100644 --- a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml @@ -33,6 +33,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -43,5 +45,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.3 +version: 2.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml index f8fae368290..93faf3aaab2 100644 --- a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml @@ -48,6 +48,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -56,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml index 171baf281b8..f92205e0f61 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml @@ -29,6 +29,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -55,5 +57,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml index 4da564dd33f..68e356af119 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml @@ -29,6 +29,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -55,5 +57,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml index 7a16ee0e6d9..c10fd1a9b06 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml @@ -39,6 +39,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -47,5 +49,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml index 0c08de37fff..e8a30d8b103 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml @@ -36,6 +36,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -44,5 +46,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml index 01581d390c0..ca32fbf6eb9 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml @@ -28,9 +28,11 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain -version: 1.1.2 +version: 1.1.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml index 05901c58f90..5f456c84eeb 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml @@ -81,11 +81,11 @@ query: | (DeviceEvents | where ActionType =~ "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl) | project UrlClickedByUserSid = RemoteUrl, - InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName + InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain ) on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId, - AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName + AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain | join kind=inner ( //Suspicious url clicked found in common security logs @@ -100,19 +100,31 @@ query: | | where not(ipv4_is_private(DstIpAddr)) | project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes ) on $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected - | summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication + | summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication | extend HostName = iff(DeviceName has '.', substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName,indexof(DeviceName,'.')+1),"") - | extend Name = tostring(split(InitiatingProcessAccountName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountName,'@',1)[0]) + | extend Name = tostring(split(RecipientEmailAddress,'@',0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress,'@',1)[0]) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccountUpn + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountDomain + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: RecipientEmailAddress - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -125,5 +137,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: DestinationIP -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml index 3d53253edfa..be359ab4fb3 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -30,15 +30,26 @@ query: |- | distinct DeviceId; union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents | where DeviceId in (VulnDevices) and InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp") + | extend Name = tostring(split(AccountUpn, "@")[0]), UPNSuffix = tostring(split(AccountUpn, "@")[1]) + | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) entityMappings: - entityType: Host fieldMappings: - - identifier: HostName + - identifier: FullName columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: NTDomain + columnName: HostNameDomain - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountName + columnName: AccountUpn + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix - entityType: Process fieldMappings: - identifier: ProcessId @@ -51,6 +62,10 @@ entityMappings: fieldMappings: - identifier: CommandLine columnName: ProcessCommandLine + - entityType: IP + fieldMappings: + - identifier: Address + columnName: LocalIPType suppressionEnabled: false incidentConfiguration: createIncident: false @@ -69,4 +84,4 @@ alertDetailsOverride: alertDynamicProperties: [] eventGroupingSettings: aggregationKind: SingleAlert -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml index c2103fac7d3..74ad4258859 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml @@ -42,20 +42,30 @@ query: | | where ActionType == "FileCreated" or ActionType == "FileModified" // Look for code files, edit this to include file extensions used in build. | where FileName endswith ".cs" or FileName endswith ".cpp" - | summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated) + | summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn) // join where build processes and file modifications seen at same time on same host on timekey, DeviceName // Limit to only where the file edit happens after the build process starts | where BuildProcessTime <= FileEditTime - | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess + | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn | extend HostName = iff(DeviceName has '.', substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName,indexof(DeviceName,'.')+1),"") entityMappings: - entityType: Host fieldMappings: - - identifier: HostName - columnName: HostName - - identifier: DnsDomain - columnName: DnsDomain -version: 1.0.1 + - identifier: FullName + columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +- entityType: Account + fieldMappings: + - identifier: FullName + columnName: FileEditUpn + - identifier: Name + columnName: FileEditAccount + - identifier: UPNSuffix + columnName: FileEditDomain +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml index 416de705e2c..f6a667ca4a6 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml @@ -32,12 +32,23 @@ query: | | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend timestamp=TimeGenerated | extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.')) + | extend InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountUpn entityMappings: - entityType: Host fieldMappings: - - identifier: HostName - columnName: HostName - - identifier: DnsDomain - columnName: DnsDomain -version: 1.0.1 + - identifier: FullName + columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccountUpn + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountDomain +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml index 88ed82537f2..1a4e82f64ec 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml @@ -29,20 +29,32 @@ query: | DeviceFileEvents | where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5) | extend timestamp = TimeGenerated, Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),AlgorithmEntity = "MD5" ,FileHashEntity = MD5 + | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1]) + | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) + entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: Host fieldMappings: - - identifier: HostName + - identifier: FullName columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: NTDomain + columnName: HostNameDomain - entityType: FileHash fieldMappings: - identifier: Algorithm columnName: AlgorithmEntity - identifier: Value columnName: FileHashEntity -version: 1.0.6 +version: 1.0.7 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml index fe7e124f38b..a0469c72ec3 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml @@ -33,10 +33,16 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: AccountEntity + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountUpn - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -55,5 +61,5 @@ entityMappings: columnName: HashAlgorithm - identifier: Value columnName: InitiatingProcessMD5 -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml index b1a02041124..ed98895a306 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml @@ -36,10 +36,16 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: AccountEntity + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountUpn - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -50,5 +56,5 @@ entityMappings: columnName: FileHashType - identifier: Value columnName: InitiatingProcessSHA1 -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml b/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml index 086e4aecd94..e261c826551 100644 --- a/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml +++ b/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml @@ -88,6 +88,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserAccount - identifier: UPNSuffix columnName: UPNSuffix - identifier: Name @@ -112,5 +114,5 @@ customDetails: PreviousLocation: PreviousLocation CurrentIPAddress: CurrentIPAddress PreviousIPAddress: PreviousIPAddress -version: 1.0.7 +version: 1.0.8 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml index 5f98cee6fb8..4c2b7030fc5 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml @@ -51,20 +51,34 @@ query: | where AdditionalDetail.key =~ "User-Agent" | extend UserAgent = tostring(AdditionalDetail.value) ) - | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName)) - | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) - | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId - | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatingIpAddress -version: 1.0.1 + columnName: InitiatingIpAdress +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml index 7a33e2d6e01..ddc7cee868c 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml @@ -26,21 +26,36 @@ query: | AuditLogs | where OperationName =~ "Add user" or OperationName =~ "Delete user" | where Result =~ "success" - | extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName) - | where InitiatingUser has_any (nonapproved_users) - | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources - | extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress) - | extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) + | where InitiatingUserPrincipalName has_any (nonapproved_users) + | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingAppName, TargetResources entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedUserIpAddress -version: 1.0.2 + columnName: InitiatingIpAdress +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml index 23e043bcb49..f30b315dfee 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml @@ -45,22 +45,34 @@ query: | ) | project-rename Creation_TimeGenerated = TimeGenerated ) on UserPrincipalName - | extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated - | where TimeDelta between (time(0s) .. queryperiod) - | extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress) - | extend CreatedByApp = tostring(InitiatedBy.app.displayName) - | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources - | extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: DeletedByIPAddress -version: 1.0.3 + columnName: InitiatingIpAdress +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml index 188b6014a66..9fdfbdbdba2 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml @@ -88,9 +88,11 @@ entityMappings: columnName: AppDisplayName - entityType: Account fieldMappings: + - identifier: FullName + columnName: Targt - identifier: Name columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 5e0c7d1b8f0..8984fbce3d4 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -60,5 +62,5 @@ alertDetailsOverride: This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. -version: 2.0.1 +version: 2.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml index 024bc7e186f..4e99cd5cb8a 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml @@ -36,8 +36,6 @@ query: | | where TimeGenerated > ago(queryfrequency) | where Category =~ "UserManagement" | where ActivityDisplayName in (security_info_actions) - | extend Initiator = tostring(InitiatedBy.user.userPrincipalName) - | extend IP = tostring(InitiatedBy.user.ipAddress) | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "User" @@ -47,27 +45,34 @@ query: | // Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity. //| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result // Comment out this line below, if line above is used. - | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target - | extend InitiatorName = tostring(split(Initiator,'@',0)[0]), - InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]), - TargetName = iff(tostring(Targets) has "[", "", tostring(split(Targets,'@',0)[0])), - TargetUPNSuffix = iff(tostring(Targets) has "[", "", tostring(split(Targets,'@',1)[0])) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: InitiatorName - - identifier: UPNSuffix - columnName: InitiatorUPNSuffix + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: TargetName + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: TargetUPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: IP -version: 1.0.9 + columnName: InitiatingIpAdress +version: 1.0.10 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index ad4063872b3..39d5551ea53 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -43,6 +43,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index c81080fffc3..6064a7a11c0 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -48,21 +48,34 @@ query: | where Property.displayName =~ "ServicePrincipal.ObjectID" | extend AppServicePrincipalId = trim('"',tostring(Property.newValue)) ) - | extend - Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)), - InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id)) - | project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId - | extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name - - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: AppDisplayName -version: 1.0.5 + columnName: InitiatingAccountName + - identifier: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId + - entityType: IP + fieldMappings: + - identifier: Address + columnName: InitiatingIpAdress +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml index 84c030639b6..386ef4955b3 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml @@ -54,6 +54,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -71,5 +73,5 @@ alertDetailsOverride: and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner. In this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}. -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml index c2929343a08..204aae7e44d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml @@ -52,9 +52,11 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 2.0.1 +version: 2.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml index d13aacf2f6f..20c3e6df7a0 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml @@ -51,6 +51,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -59,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddressFirst -version: 2.0.0 +version: 2.0.1 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml index 3015cde2155..251dc4646fc 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml @@ -42,24 +42,37 @@ query: | AdminRecords | extend TimeWindow = bin(TimeGenerated, 1h) ) on $left.TimeGenerated == $right.TimeWindow - | extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), "") - | extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), - InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: TargetName - - identifier: UPNSuffix - columnName: TargetUPNSuffix + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: InitiatedByUserName + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: InitiatedByUserUPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId + - entityType: IP + fieldMappings: + - identifier: Address + columnName: InitiatingIpAdress customDetails: InitiatedByUser: InitiatedByUser TargetUser: Target -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 8f5e12e8aca..80f85b8ffd7 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -60,6 +60,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -68,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddresses -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml index dfb337743d3..f8e186908d0 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml @@ -89,6 +89,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Credential_InitiatingUserOrApp - identifier: Name columnName: Name - identifier: UPNSuffix @@ -97,5 +99,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: Consent_InitiatingIpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index 2a14d11cc1a..306b9229c69 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -25,8 +25,6 @@ query: | let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]); AuditLogs | where OperationName has "Add a partner to cross-tenant access setting" - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "Policy" @@ -38,17 +36,34 @@ query: | | extend ExtTenantIDAdded = trim('"',tostring(Property.newValue)) ) | where ExtTenantIDAdded !in (ExpectedTenantIDs) - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.2 + columnName: InitiatingIpAdress +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index 7b9217a7ab2..a56008e5066 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -23,8 +23,6 @@ relevantTechniques: query: | AuditLogs | where OperationName has "Delete partner specific cross-tenant access setting" - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "Policy" @@ -35,17 +33,34 @@ query: | where Property.displayName =~ "tenantId" | extend ExtTenantDeleted = trim('"',tostring(Property.oldValue)) ) - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.2 + columnName: InitiatingIpAdress +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml index b9292532756..7dc939711dd 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml @@ -37,20 +37,35 @@ query: | | extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)), ModifiedInboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedInboundSettings != ModifiedInboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.1 + columnName: InitiatingIpAdress +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml index 698de3bbd02..ad5c65ba19f 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml @@ -37,20 +37,35 @@ query: | | extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)), ModifiedInboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedInboundSettings != ModifiedInboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.1 + columnName: InitiatingIpAdress +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml index dd6a5cf00c2..c4c4711432e 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml @@ -37,20 +37,35 @@ query: | | extend PremodifiedOutboundSettings = trim('"',tostring(Property.oldValue)), ModifiedOutboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedOutboundSettings != ModifiedOutboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.1 + columnName: InitiatingIpAdress +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml index a827a7b4f4c..e4f72eccabe 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml @@ -37,20 +37,35 @@ query: | | extend PremodifiedOutboundSettings = trim('"',tostring(Property.oldValue)), ModifiedOutboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedOutboundSettings != ModifiedOutboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - identifier: Name - columnName: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName + - identifier: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress -version: 1.0.1 + columnName: InitiatingIpAdress +version: 1.0.2 kind: Scheduled