Merge pull request #898 from Azure/QA-yaml-issues

yaml QA issues and Bugfix for detection
2020-07-24 12:05:22 -07:00 · 2020-07-24 12:05:22 -07:00 · 09fee48aea
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@ -48,14 +48,20 @@ query: |
  "notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
  "sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
  let IPList = dynamic(["51.91.200.147"]);
+  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  (union isfuzzy=true
  (CommonSecurityLog 
-  | where TimeGenerated >= ago(timeframe) 
+  | where TimeGenerated >= ago(timeframe)
  | parse Message with * '(' DNSName ')' * 
-  | where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
-  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or DNSName in~ (DomainNames)
-  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
-  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName),
+  | extend MessageIP = extract(IPRegex, 0, Message)
+  | extend RequestURLIP = extract(IPRegex, 0, Message)
+  | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) 
+  or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) 
+  or (isnotempty(Message) and MessageIP in (IPList))
+  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch") 
+  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
+  IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
+  ),
  (DnsEvents 
  | where TimeGenerated >= ago(timeframe) 
  | extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
--- a/Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml
+++ b/Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml
--- a/Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml
+++ b/Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml
--- a/Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml
+++ b/Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml
--- a/Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml
+++ b/Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml
--- a/Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml
+++ b/Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml
--- a/Queries/AzureDiagnostics/CriticalPortsOpened.yaml
+++ b/Queries/AzureDiagnostics/CriticalPortsOpened.yaml
@ -3,7 +3,9 @@ name: Check critical ports opened to the entire internet
 description: |
  'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
 requiredDataConnectors:
-  - connectorId: AzureDiagnostic
+  - connectorId: WAF
+    dataTypes:
+      - AzureDiagnostics
 tactics:
  - InitialAccess
 query: |
--- a/Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml
+++ b/Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml
@ -8,10 +8,6 @@ description: |
  Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash 
  and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html'
 severity: Medium
-requiredDataConnectors:
-  - connectorId: Logstash
-    dataTypes:
-      - AwsBucketAPILogs
 queryFrequency: 1h
 queryPeriod: 14d
 triggerOperator: gt
--- a/Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml
+++ b/Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml
@ -6,10 +6,6 @@ description: |
  Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash 
  and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html and ListObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html
  and ListBucket at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html'
-requiredDataConnectors:
-  - connectorId: Logstash
-    dataTypes:
-      - AwsBucketAPILogs
 tactics:
  - Collection
 relevantTechniques:
--- a/Queries/MultipleDataSources/TrackingPasswordChanges.yaml
+++ b/Queries/MultipleDataSources/TrackingPasswordChanges.yaml
@ -10,7 +10,7 @@ requiredDataConnectors:
     - AuditLogs
  - connectorId: SecurityEvents
    dataTypes:
-      - SecurityEvents
+      - SecurityEvent
  - connectorId: Syslog
    dataTypes:
      - Syslog