From f4467376a82238e255634b98e4d8fcbb07ce0521 Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Thu, 4 Jan 2024 11:12:29 -0800 Subject: [PATCH 1/7] Entity Work Jan 4 - Manny Required items, please complete Change(s): - Working on some of the detections Shain asked us to focus on, mainly adding fullName identifiers Reason for Change(s): - Changes needed listed on Shain's dashboard Version Updated: - yes Testing Completed: - yes Checked that the validations are passing and have addressed any issues that are present: - no --- ...d to Team and immediately uploads file.yaml | 6 ++++-- .../ExternalUserAddedRemovedInTeams.yaml | 4 +++- .../Mail_redirect_via_ExO_transport_rule.yaml | 4 +++- .../Analytic Rules/Malicious_Inbox_Rule.yaml | 4 +++- .../Analytic Rules/MultipleTeamsDeletes.yaml | 4 +++- .../Analytic Rules/Office_MailForwarding.yaml | 4 +++- .../Office_Uploaded_Executables.yaml | 4 +++- .../Analytic Rules/RareOfficeOperations.yaml | 4 +++- .../SharePoint_Downloads_byNewIP.yaml | 4 +++- .../SharePoint_Downloads_byNewUserAgent.yaml | 4 +++- .../exchange_auditlogdisabled.yaml | 4 +++- .../Analytic Rules/office_policytampering.yaml | 4 +++- ...arepoint_file_transfer_above_threshold.yaml | 4 +++- ..._file_transfer_folders_above_threshold.yaml | 4 +++- .../Analytic Rules/AVSpringShell.yaml | 4 +++- .../Analytic Rules/AVTarrask.yaml | 4 +++- ...detectionsrelatedtoUkrainebasedthreats.yaml | 4 +++- ...PossiblePhishingwithCSL&NetworkSession.yaml | 6 +++++- .../PossibleWebpBufferOverflow.yaml | 18 +++++++++++++++--- .../PotentialBuildProcessCompromiseMDE.yaml | 12 +++++++----- .../Analytic Rules/SUNSPOTHashes.yaml | 12 +++++++----- ...arWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml | 18 +++++++++++++++--- .../SolarWinds_SUNBURST_Network-IOCs.yaml | 10 ++++++++-- .../SolarWinds_TEARDROP_Process-IOCs.yaml | 10 ++++++++-- .../CorrelateIPC_Unfamiliar-Atypical.yaml | 4 +++- .../Analytic Rules/ADFSDomainTrustMods.yaml | 4 +++- 26 files changed, 123 insertions(+), 41 deletions(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml index c566fa9457..ce12fdeacc 100644 --- a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml @@ -54,10 +54,12 @@ query: | | where FileAccessCount > fileAccessThrehold ) on $left.OfficeObjectId == $right.OfficeObjectId )on $left.UPN == $right.UserId - | extend AccountName = tostring(split(UserWhoAdded, "@")[0]), AccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1]) + | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UPN - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -66,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml index b776dad6c5..a87746efea 100644 --- a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml @@ -40,9 +40,11 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UPN - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml index a9ce19f8f8..596b399cc8 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml @@ -37,6 +37,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -45,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml index 929c7b6954..d514a47c46 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml @@ -41,6 +41,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 2.0.3 +version: 2.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml index 1bc0cdf566..04a1e3bc1f 100644 --- a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml @@ -31,9 +31,11 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml index 5c388c0838..7ab5b6711a 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml @@ -45,6 +45,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml index 029f1a5ad3..1e07de1a17 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml @@ -56,6 +56,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -72,5 +74,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileNames -version: 2.0.4 +version: 2.0.5 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index 54d5f473aa..9956573469 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -27,6 +27,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -39,5 +41,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml index caec253907..6e291983aa 100644 --- a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewIP.yaml @@ -53,6 +53,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -65,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml index c6bfd83ec8..5199f2f99d 100644 --- a/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml @@ -65,6 +65,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: UserIdName - identifier: UPNSuffix @@ -77,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.2.2 +version: 2.2.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml index dc37b2b7ff..9220398fc7 100644 --- a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml @@ -33,6 +33,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -43,5 +45,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.3 +version: 2.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml index f8fae36829..93faf3aaab 100644 --- a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml @@ -48,6 +48,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -56,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml index 171baf281b..f92205e0f6 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml @@ -29,6 +29,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -55,5 +57,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml index 4da564dd33..68e356af11 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml @@ -29,6 +29,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -55,5 +57,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml index 7a16ee0e6d..c10fd1a9b0 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVSpringShell.yaml @@ -39,6 +39,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -47,5 +49,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml index 0c08de37ff..e8a30d8b10 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVTarrask.yaml @@ -36,6 +36,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -44,5 +46,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml index 01581d390c..ca32fbf6eb 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml @@ -28,9 +28,11 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain -version: 1.1.2 +version: 1.1.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml index 05901c58f9..cef9be3b84 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml @@ -107,12 +107,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccountName - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -125,5 +129,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: DestinationIP -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml index 3d53253edf..8afcef21fe 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -30,15 +30,27 @@ query: |- | distinct DeviceId; union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents | where DeviceId in (VulnDevices) and InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp") + | extend Name = tostring(split(AccountUpn, "@")[0]), UPNSuffix = tostring(split(AccountUpn, "@")[1]) + | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) + entityMappings: - entityType: Host fieldMappings: - - identifier: HostName + - identifier: FullName columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: NTDomain + columnName: HostNameDomain - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountName + columnName: AccountUpn + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix - entityType: Process fieldMappings: - identifier: ProcessId @@ -69,4 +81,4 @@ alertDetailsOverride: alertDynamicProperties: [] eventGroupingSettings: aggregationKind: SingleAlert -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml index c2103fac7d..267c169e36 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml @@ -53,9 +53,11 @@ query: | entityMappings: - entityType: Host fieldMappings: - - identifier: HostName - columnName: HostName - - identifier: DnsDomain - columnName: DnsDomain -version: 1.0.1 + - identifier: FullName + columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml index 416de705e2..fb8b20fd93 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml @@ -35,9 +35,11 @@ query: | entityMappings: - entityType: Host fieldMappings: - - identifier: HostName - columnName: HostName - - identifier: DnsDomain - columnName: DnsDomain -version: 1.0.1 + - identifier: FullName + columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml index 88ed82537f..1a4e82f64e 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml @@ -29,20 +29,32 @@ query: | DeviceFileEvents | where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5) | extend timestamp = TimeGenerated, Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),AlgorithmEntity = "MD5" ,FileHashEntity = MD5 + | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1]) + | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) + entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: Host fieldMappings: - - identifier: HostName + - identifier: FullName columnName: DeviceName + - identifier: HostName + columnName: HostName + - identifier: NTDomain + columnName: HostNameDomain - entityType: FileHash fieldMappings: - identifier: Algorithm columnName: AlgorithmEntity - identifier: Value columnName: FileHashEntity -version: 1.0.6 +version: 1.0.7 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml index fe7e124f38..a0469c72ec 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml @@ -33,10 +33,16 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: AccountEntity + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountUpn - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -55,5 +61,5 @@ entityMappings: columnName: HashAlgorithm - identifier: Value columnName: InitiatingProcessMD5 -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml index b1a0204112..ed98895a30 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml @@ -36,10 +36,16 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: AccountEntity + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountUpn - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -50,5 +56,5 @@ entityMappings: columnName: FileHashType - identifier: Value columnName: InitiatingProcessSHA1 -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml b/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml index 086e4aecd9..e261c82655 100644 --- a/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml +++ b/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml @@ -88,6 +88,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserAccount - identifier: UPNSuffix columnName: UPNSuffix - identifier: Name @@ -112,5 +114,5 @@ customDetails: PreviousLocation: PreviousLocation CurrentIPAddress: CurrentIPAddress PreviousIPAddress: PreviousIPAddress -version: 1.0.7 +version: 1.0.8 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml index 5f98cee6fb..562e793c70 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml @@ -58,6 +58,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserOrApp - identifier: Name columnName: Name - identifier: UPNSuffix @@ -66,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatingIpAddress -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file From a2fb05165088ea0786bed662cb4118df4d1dc035 Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Thu, 4 Jan 2024 16:25:31 -0800 Subject: [PATCH 2/7] Adding FullName Identifier to a few more files --- .../AccountCreatedDeletedByNonApprovedUser.yaml | 4 +++- .../AccountCreatedandDeletedinShortTimeframe.yaml | 4 +++- .../AdminPromoAfterRoleMgmtAppPermissionGrant.yaml | 4 +++- .../AnomalousUserAppSigninLocationIncrease-detection.yaml | 4 +++- .../AuthenticationMethodsChangedforPrivilegedAccount.yaml | 6 +++++- .../Analytic Rules/AzureAADPowerShellAnomaly.yaml | 4 +++- .../AzureADRoleManagementPermissionGrant.yaml | 4 +++- .../AzurePortalSigninfromanotherAzureTenant.yaml | 4 +++- .../Brute Force Attack against GitHub Account.yaml | 4 +++- .../Analytic Rules/BruteForceCloudPC.yaml | 4 +++- .../BulkChangestoPrivilegedAccountPermissions.yaml | 5 ++++- .../Analytic Rules/BypassCondAccessRule.yaml | 5 ++++- .../Analytic Rules/CredentialAddedAfterAdminConsent.yaml | 4 +++- .../Cross-tenantAccessSettingsOrganizationAdded.yaml | 4 +++- .../Cross-tenantAccessSettingsOrganizationDeleted.yaml | 4 +++- ...ingsOrganizationInboundCollaborationSettingsChanged.yaml | 4 +++- ...essSettingsOrganizationInboundDirectSettingsChanged.yaml | 4 +++- ...ngsOrganizationOutboundCollaborationSettingsChanged.yaml | 4 +++- ...ssSettingsOrganizationOutboundDirectSettingsChanged.yaml | 4 +++- 19 files changed, 61 insertions(+), 19 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml index 7a33e2d6e0..9155339edc 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml @@ -34,6 +34,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUser - identifier: Name columnName: Name - identifier: UPNSuffix @@ -42,5 +44,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedUserIpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml index 23e043bcb4..a07c8ca061 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml @@ -54,6 +54,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -62,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: DeletedByIPAddress -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml index 188b6014a6..9fdfbdbdba 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml @@ -88,9 +88,11 @@ entityMappings: columnName: AppDisplayName - entityType: Account fieldMappings: + - identifier: FullName + columnName: Targt - identifier: Name columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 5e0c7d1b8f..8984fbce3d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -60,5 +62,5 @@ alertDetailsOverride: This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. -version: 2.0.1 +version: 2.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml index 024bc7e186..692343ae3c 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml @@ -55,12 +55,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Initiator - identifier: Name columnName: InitiatorName - identifier: UPNSuffix columnName: InitiatorUPNSuffix - entityType: Account fieldMappings: + - identifier: FullName + columnName: Targets - identifier: Name columnName: TargetName - identifier: UPNSuffix @@ -69,5 +73,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IP -version: 1.0.9 +version: 1.0.10 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index ad4063872b..39d5551ea5 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -43,6 +43,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -53,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index c81080fffc..726e2f941a 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -56,6 +56,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Initiator - identifier: Name columnName: Name - identifier: UPNSuffix @@ -64,5 +66,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AppDisplayName -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml index 84c030639b..386ef4955b 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml @@ -54,6 +54,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -71,5 +73,5 @@ alertDetailsOverride: and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner. In this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}. -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml index c2929343a0..204aae7e44 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml @@ -52,9 +52,11 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 2.0.1 +version: 2.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml index d13aacf2f6..20c3e6df7a 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml @@ -51,6 +51,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -59,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddressFirst -version: 2.0.0 +version: 2.0.1 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml index 3015cde215..6d1e565795 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml @@ -48,6 +48,9 @@ query: | entityMappings: - entityType: Account fieldMappings: + fieldMappings: + - identifier: FullName + columnName: Target - identifier: Name columnName: TargetName - identifier: UPNSuffix @@ -61,5 +64,5 @@ entityMappings: customDetails: InitiatedByUser: InitiatedByUser TargetUser: Target -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 8f5e12e8ac..67188408bf 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -60,6 +60,9 @@ query: | entityMappings: - entityType: Account fieldMappings: + fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -68,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddresses -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml index dfb337743d..f8e186908d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml @@ -89,6 +89,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Credential_InitiatingUserOrApp - identifier: Name columnName: Name - identifier: UPNSuffix @@ -97,5 +99,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: Consent_InitiatingIpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index 2a14d11cc1..8c7b6a4da5 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -42,6 +42,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -50,5 +52,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index 7b9217a7ab..3325d7f9d3 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -39,6 +39,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -47,5 +49,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml index b929253275..d6443d340b 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -52,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml index 698de3bbd0..bca5440fca 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -52,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml index dd6a5cf00c..baa95b4ce7 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -52,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml index a827a7b4f4..a1a4aac081 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml @@ -44,6 +44,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedByActionUserInformation - identifier: Name columnName: Name - identifier: UPNSuffix @@ -52,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled From 9fd0b0faf43bb0ad0eb61db5144f254540c9deba Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Thu, 4 Jan 2024 16:45:58 -0800 Subject: [PATCH 3/7] Fixing typos --- .../BulkChangestoPrivilegedAccountPermissions.yaml | 1 - .../Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml index 6d1e565795..286043306f 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml @@ -47,7 +47,6 @@ query: | InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0]) entityMappings: - entityType: Account - fieldMappings: fieldMappings: - identifier: FullName columnName: Target diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 67188408bf..80f85b8ffd 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -59,7 +59,6 @@ query: | union isfuzzy=true aadSignin, aadNonInt entityMappings: - entityType: Account - fieldMappings: fieldMappings: - identifier: FullName columnName: UserPrincipalName From c6c52aba681858fbba1cc3e0792d2b9fa15e4719 Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Tue, 9 Jan 2024 08:46:20 -0800 Subject: [PATCH 4/7] AuditLogs extract from InitiatedBy --- .../Analytic Rules/ADFSDomainTrustMods.yaml | 28 +++++++++++----- ...ccountCreatedDeletedByNonApprovedUser.yaml | 29 +++++++++++----- ...ountCreatedandDeletedinShortTimeframe.yaml | 30 +++++++++++------ ...ionMethodsChangedforPrivilegedAccount.yaml | 33 ++++++++++--------- .../AzureADRoleManagementPermissionGrant.yaml | 31 +++++++++++------ ...ChangestoPrivilegedAccountPermissions.yaml | 31 +++++++++++------ ...tenantAccessSettingsOrganizationAdded.yaml | 27 +++++++++++---- ...nantAccessSettingsOrganizationDeleted.yaml | 27 +++++++++++---- ...onInboundCollaborationSettingsChanged.yaml | 27 +++++++++++---- ...anizationInboundDirectSettingsChanged.yaml | 27 +++++++++++---- ...nOutboundCollaborationSettingsChanged.yaml | 27 +++++++++++---- ...nizationOutboundDirectSettingsChanged.yaml | 27 +++++++++++---- 12 files changed, 240 insertions(+), 104 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml index 562e793c70..4c2b7030fc 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml @@ -51,22 +51,34 @@ query: | where AdditionalDetail.key =~ "User-Agent" | extend UserAgent = tostring(AdditionalDetail.value) ) - | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName)) - | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) - | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId - | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatingUserOrApp + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatingIpAddress + columnName: InitiatingIpAdress version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml index 9155339edc..516f33e34b 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml @@ -26,23 +26,36 @@ query: | AuditLogs | where OperationName =~ "Add user" or OperationName =~ "Delete user" | where Result =~ "success" - | extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) | where InitiatingUser has_any (nonapproved_users) - | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources - | extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress) - | extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0]) + | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingAppName, TargetResources entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatingUser + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedUserIpAddress + columnName: InitiatingIpAdress version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml index a07c8ca061..f30b315dfe 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml @@ -45,24 +45,34 @@ query: | ) | project-rename Creation_TimeGenerated = TimeGenerated ) on UserPrincipalName - | extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated - | where TimeDelta between (time(0s) .. queryperiod) - | extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress) - | extend CreatedByApp = tostring(InitiatedBy.app.displayName) - | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources - | extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: UserPrincipalName + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: DeletedByIPAddress + columnName: InitiatingIpAdress version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml index 692343ae3c..4e99cd5cb8 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml @@ -36,8 +36,6 @@ query: | | where TimeGenerated > ago(queryfrequency) | where Category =~ "UserManagement" | where ActivityDisplayName in (security_info_actions) - | extend Initiator = tostring(InitiatedBy.user.userPrincipalName) - | extend IP = tostring(InitiatedBy.user.ipAddress) | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "User" @@ -47,31 +45,34 @@ query: | // Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity. //| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result // Comment out this line below, if line above is used. - | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target - | extend InitiatorName = tostring(split(Initiator,'@',0)[0]), - InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]), - TargetName = iff(tostring(Targets) has "[", "", tostring(split(Targets,'@',0)[0])), - TargetUPNSuffix = iff(tostring(Targets) has "[", "", tostring(split(Targets,'@',1)[0])) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: Initiator - identifier: Name - columnName: InitiatorName - - identifier: UPNSuffix - columnName: InitiatorUPNSuffix + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: Targets + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: TargetName + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: TargetUPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: IP + columnName: InitiatingIpAdress version: 1.0.10 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index 726e2f941a..6064a7a11c 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -48,23 +48,34 @@ query: | where Property.displayName =~ "ServicePrincipal.ObjectID" | extend AppServicePrincipalId = trim('"',tostring(Property.newValue)) ) - | extend - Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)), - InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id)) - | project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId - | extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: Initiator + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix - entityType: Account fieldMappings: - - identifier: Name - columnName: AppDisplayName + - identifier: AadUserId + columnName: InitiatingAadUserId + - entityType: IP + fieldMappings: + - identifier: Address + columnName: InitiatingIpAdress version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml index 286043306f..251dc4646f 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml @@ -42,24 +42,35 @@ query: | AdminRecords | extend TimeWindow = bin(TimeGenerated, 1h) ) on $left.TimeGenerated == $right.TimeWindow - | extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), "") - | extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), - InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: Target - identifier: Name - columnName: TargetName - - identifier: UPNSuffix - columnName: TargetUPNSuffix + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: InitiatedByUserName + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: InitiatedByUserUPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId + - entityType: IP + fieldMappings: + - identifier: Address + columnName: InitiatingIpAdress customDetails: InitiatedByUser: InitiatedByUser TargetUser: Target diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index 8c7b6a4da5..306b9229c6 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -25,8 +25,6 @@ query: | let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]); AuditLogs | where OperationName has "Add a partner to cross-tenant access setting" - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "Policy" @@ -38,19 +36,34 @@ query: | | extend ExtTenantIDAdded = trim('"',tostring(Property.newValue)) ) | where ExtTenantIDAdded !in (ExpectedTenantIDs) - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index 3325d7f9d3..a56008e506 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -23,8 +23,6 @@ relevantTechniques: query: | AuditLogs | where OperationName has "Delete partner specific cross-tenant access setting" - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "Policy" @@ -35,19 +33,34 @@ query: | where Property.displayName =~ "tenantId" | extend ExtTenantDeleted = trim('"',tostring(Property.oldValue)) ) - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml index d6443d340b..7dc939711d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml @@ -37,22 +37,35 @@ query: | | extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)), ModifiedInboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedInboundSettings != ModifiedInboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml index bca5440fca..ad5c65ba19 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml @@ -37,22 +37,35 @@ query: | | extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)), ModifiedInboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedInboundSettings != ModifiedInboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml index baa95b4ce7..c4c4711432 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml @@ -37,22 +37,35 @@ query: | | extend PremodifiedOutboundSettings = trim('"',tostring(Property.oldValue)), ModifiedOutboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedOutboundSettings != ModifiedOutboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml index a1a4aac081..e4f72eccab 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml @@ -37,22 +37,35 @@ query: | | extend PremodifiedOutboundSettings = trim('"',tostring(Property.oldValue)), ModifiedOutboundSettings = trim(@'"',tostring(Property.newValue)) ) - | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) - | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress + | extend InitiatingAppName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName) + | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) + | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) + | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | where PremodifiedOutboundSettings != ModifiedOutboundSettings - | extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0]) + | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: InitiatingAppName + - identifier: AadUserId + columnName: InitiatingAppServicePrincipalId - entityType: Account fieldMappings: - identifier: FullName - columnName: InitiatedByActionUserInformation + columnName: InitiatingUserPrincipalName - identifier: Name - columnName: Name + columnName: InitiatingAccountName - identifier: UPNSuffix - columnName: UPNSuffix + columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address - columnName: InitiatedByIPAdress + columnName: InitiatingIpAdress version: 1.0.2 kind: Scheduled From e489b1612c729c8a9cf1bbd7973113b885322829 Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Tue, 23 Jan 2024 15:41:56 -0800 Subject: [PATCH 5/7] Working on fixes from Shain's comments --- ... to Team and immediately uploads file.yaml | 20 ++++++++--------- .../ExternalUserAddedRemovedInTeams.yaml | 22 +++++++++++-------- .../Analytic Rules/MultipleTeamsDeletes.yaml | 6 ++++- ...ossiblePhishingwithCSL&NetworkSession.yaml | 16 ++++++++++---- .../PossibleWebpBufferOverflow.yaml | 5 ++++- .../PotentialBuildProcessCompromiseMDE.yaml | 12 ++++++++-- .../Analytic Rules/SUNSPOTHashes.yaml | 9 ++++++++ 7 files changed, 63 insertions(+), 27 deletions(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml index ce12fdeacc..98449c4ab3 100644 --- a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml @@ -26,17 +26,17 @@ query: | OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "MemberAdded" - | extend UPN = tostring(parse_json(Members)[0].UPN) - | where UPN contains ("#EXT#") - | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName + | extend MemberAdded = tostring(parse_json(Members)[0].UPN) + | where MemberAdded contains ("#EXT#") + | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName | join kind = inner( OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "MemberRemoved" - | extend UPN = tostring(parse_json(Members)[0].UPN) - | where UPN contains ("#EXT#") - | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName - ) on UPN + | extend MemberAdded = tostring(parse_json(Members)[0].UPN) + | where MemberAdded contains ("#EXT#") + | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName + ) on MemberAdded | where TimeDeleted > TimeAdded | join kind=inner ( @@ -53,13 +53,13 @@ query: | | summarize FileAccessCount = count() by OfficeObjectId | where FileAccessCount > fileAccessThrehold ) on $left.OfficeObjectId == $right.OfficeObjectId - )on $left.UPN == $right.UserId - | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) + )on $left.MemberAdded == $right.UserId + | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: UPN + columnName: MemberAdded - identifier: Name columnName: AccountName - identifier: UPNSuffix diff --git a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml index a87746efea..ac61dd90c3 100644 --- a/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml @@ -24,27 +24,31 @@ query: | | where Operation == Op | where Members has ("#EXT#") | mv-expand Members - | extend UPN = tostring(Members.UPN) - | where UPN has ("#EXT#") - | project TimeGenerated, Operation, UPN, UserId, TeamName + | extend MemberAdded = tostring(Members.UPN) + | where MemberAdded has ("#EXT#") + | project TimeGenerated, Operation, MemberAdded, UserId, TeamName, ClientIP }; let TeamsAdd = TeamsAddDel("MemberAdded") - | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName; + | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName, ClientIP; let TeamsDel = TeamsAddDel("MemberRemoved") - | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName; + | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName, ClientIP; TeamsAdd - | join kind=inner (TeamsDel) on UPN + | join kind=inner (TeamsDel) on MemberAdded | where TimeDeleted > TimeAdded - | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName - | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) + | project TimeAdded, TimeDeleted, MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP + | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: UPN + columnName: MemberAdded - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: ClientIP version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml index 04a1e3bc1f..4c9a7a3bdc 100644 --- a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml @@ -25,7 +25,7 @@ query: | OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "TeamDeleted" - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId, ClientIP | where array_length(DeletedTeams) > max_delete_count | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: @@ -37,5 +37,9 @@ entityMappings: columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: ClientIP version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml index cef9be3b84..5f456c84ee 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml @@ -81,11 +81,11 @@ query: | (DeviceEvents | where ActionType =~ "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl) | project UrlClickedByUserSid = RemoteUrl, - InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName + InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain ) on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId, - AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName + AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain | join kind=inner ( //Suspicious url clicked found in common security logs @@ -100,15 +100,23 @@ query: | | where not(ipv4_is_private(DstIpAddr)) | project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes ) on $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected - | summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication + | summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication | extend HostName = iff(DeviceName has '.', substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName,indexof(DeviceName,'.')+1),"") - | extend Name = tostring(split(InitiatingProcessAccountName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountName,'@',1)[0]) + | extend Name = tostring(split(RecipientEmailAddress,'@',0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress,'@',1)[0]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName + columnName: InitiatingProcessAccountUpn + - identifier: Name columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountDomain + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: RecipientEmailAddress - identifier: Name columnName: Name - identifier: UPNSuffix diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml index 8afcef21fe..be359ab4fb 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -33,7 +33,6 @@ query: |- | extend Name = tostring(split(AccountUpn, "@")[0]), UPNSuffix = tostring(split(AccountUpn, "@")[1]) | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) - entityMappings: - entityType: Host fieldMappings: @@ -63,6 +62,10 @@ entityMappings: fieldMappings: - identifier: CommandLine columnName: ProcessCommandLine + - entityType: IP + fieldMappings: + - identifier: Address + columnName: LocalIPType suppressionEnabled: false incidentConfiguration: createIncident: false diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml index 267c169e36..74ad425885 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml @@ -42,12 +42,12 @@ query: | | where ActionType == "FileCreated" or ActionType == "FileModified" // Look for code files, edit this to include file extensions used in build. | where FileName endswith ".cs" or FileName endswith ".cpp" - | summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated) + | summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn) // join where build processes and file modifications seen at same time on same host on timekey, DeviceName // Limit to only where the file edit happens after the build process starts | where BuildProcessTime <= FileEditTime - | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess + | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn | extend HostName = iff(DeviceName has '.', substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName,indexof(DeviceName,'.')+1),"") entityMappings: @@ -59,5 +59,13 @@ entityMappings: columnName: HostName - identifier: DnsDomain columnName: DnsDomain +- entityType: Account + fieldMappings: + - identifier: FullName + columnName: FileEditUpn + - identifier: Name + columnName: FileEditAccount + - identifier: UPNSuffix + columnName: FileEditDomain version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml index fb8b20fd93..f6a667ca4a 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml @@ -32,6 +32,7 @@ query: | | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend timestamp=TimeGenerated | extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.')) + | extend InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountUpn entityMappings: - entityType: Host fieldMappings: @@ -41,5 +42,13 @@ entityMappings: columnName: HostName - identifier: DnsDomain columnName: DnsDomain + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccountUpn + - identifier: Name + columnName: InitiatingProcessAccountName + - identifier: UPNSuffix + columnName: InitiatingProcessAccountDomain version: 1.0.2 kind: Scheduled From 8db93e34739886f766ec8f439858e8a1682b210e Mon Sep 17 00:00:00 2001 From: Manuel Melendez Date: Fri, 16 Feb 2024 14:57:16 -0800 Subject: [PATCH 6/7] Fixed an error from one of the queries --- .../Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml index 516f33e34b..ddc7cee868 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml @@ -32,7 +32,7 @@ query: | | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIpAdress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName,'@')[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@')[1]) - | where InitiatingUser has_any (nonapproved_users) + | where InitiatingUserPrincipalName has_any (nonapproved_users) | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingAppName, TargetResources entityMappings: - entityType: Account From 166a34eaa8ffe56b6308a58738f72afbc49145cc Mon Sep 17 00:00:00 2001 From: ccmsft <98336965+ccmsft@users.noreply.github.com> Date: Thu, 22 Feb 2024 13:08:19 -0500 Subject: [PATCH 7/7] Update External User added to Team and immediately uploads file.yaml --- ...ernal User added to Team and immediately uploads file.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml index 98449c4ab3..88ebd3a9bd 100644 --- a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml @@ -1,8 +1,8 @@ id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b name: Accessed files shared by temporary external user description: | - 'This detection identifies an external user is added to a Team or Teams chat - and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + 'This detection identifies when an external user is added to a Team or Teams chat + and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.' severity: Low status: Available