adding in some other entities

2019-09-04 09:10:05 -07:00 · 2019-09-04 09:10:05 -07:00 · 014f0e0954
--- a/Queries/SecurityAlert/AlertsForIP.yaml
+++ b/Queries/SecurityAlert/AlertsForIP.yaml
@ -23,12 +23,13 @@ query: |
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
  // expand JSON properties
-  | extend Extprop = parsejson(ExtendedProperties)
-  | extend Computer = toupper(tostring(Extprop["Compromised Host"]))
-  | extend Account =  tolower(tostring(Extprop["User Name"]))
  | where ExtendedProperties contains v_ipAddress or Entities contains v_ipAddress
-  | project StartTimeUtc = StartTime, EndTimeUtc = EndTime, AlertName, Computer, Account, ExtendedProperties, Entities
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
+  | extend Extprop = parsejson(ExtendedProperties)
+  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
+  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
+  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | project StartTimeUtc = StartTime, EndTimeUtc = EndTime, AlertName, Computer, Account, IpAddress, ExtendedProperties, Entities
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
  // change datetime value and <ipaddress> value below
  GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("<ipaddress>"))
--- a/Queries/SecurityAlert/AlertsForUser.yaml
+++ b/Queries/SecurityAlert/AlertsForUser.yaml
@ -22,13 +22,14 @@ query: |
  let v_EndTime = suspiciousEventTime+6h;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
+  | where Account contains v_User
  // expand JSON properties
  | extend Extprop = parsejson(ExtendedProperties)
-  | extend Computer = toupper(tostring(Extprop["Compromised Host"]))
-  | extend Account =  tolower(tostring(Extprop["User Name"]))
-  | where Account contains v_User
-  | project TimeGenerated, AlertName, Computer, Account, ExtendedProperties 
-  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
+  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
+  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
  // change datetime value and username value below
  GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("<username>"))
--- a/Queries/SecurityAlert/AlertsOnHost.yaml
+++ b/Queries/SecurityAlert/AlertsOnHost.yaml
@ -22,12 +22,14 @@ query: |
  let v_EndTime = suspiciousEventTime+6h;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
+  | where Computer contains v_Host
  // expand JSON properties
  | extend Extprop = parsejson(ExtendedProperties)
-  | extend Computer = toupper(tostring(Extprop["Compromised Host"]))
-  | where Computer contains v_Host
-  | project TimeGenerated, AlertName, Computer, ExtendedProperties
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
+  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
+  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
+  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
  // change datetime value and hostname value below
  GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("<hostname>"))
--- a/Queries/SecurityAlert/AlertsWithFile.yaml
+++ b/Queries/SecurityAlert/AlertsWithFile.yaml
@ -21,9 +21,11 @@ query: |
  let v_EndTime = suspiciousEventTime+1d;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
-  | extend Computer = toupper(parse_json(ExtendedProperties).["Compromised Host"])
  | where ExtendedProperties has v_File
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
+  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
+  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
+  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
  // change datetime value and <filename> value below
  GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), "<filename>")
--- a/Queries/SecurityAlert/AlertsWithProcess.yaml
+++ b/Queries/SecurityAlert/AlertsWithProcess.yaml
@ -21,12 +21,15 @@ query: |
  let v_EndTime = suspiciousEventTime+1d;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
-  | extend Computer = toupper(parse_json(ExtendedProperties).["Compromised Host"])
-  | extend ProcessName = parse_json(ExtendedProperties).["Suspicious Process"]
  | where ProcessName has v_Process
-  | project TimeGenerated, AlertName, Computer
+  | extend Extprop = parsejson(ExtendedProperties)
+  | extend ProcessName = parse_json(ExtendedProperties).["Suspicious Process"]
+  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
+  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
+  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | project TimeGenerated, AlertName, ProcessName, Computer, Account, IpAddress, ExtendedProperties 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  | top 10 by TimeGenerated desc nulls last
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
  };
  // change datetime value and <processname> value below
  GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), "<processname>")