Merge pull request #898 from Azure/QA-yaml-issues
yaml QA issues and Bugfix for detection
This commit is contained in:
Коммит
09fee48aea
|
@ -48,14 +48,20 @@ query: |
|
|||
"notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
|
||||
"sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
|
||||
let IPList = dynamic(["51.91.200.147"]);
|
||||
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
|
||||
(union isfuzzy=true
|
||||
(CommonSecurityLog
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| parse Message with * '(' DNSName ')' *
|
||||
| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
|
||||
| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or DNSName in~ (DomainNames)
|
||||
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message")
|
||||
| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName),
|
||||
| extend MessageIP = extract(IPRegex, 0, Message)
|
||||
| extend RequestURLIP = extract(IPRegex, 0, Message)
|
||||
| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
|
||||
or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
|
||||
or (isnotempty(Message) and MessageIP in (IPList))
|
||||
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch")
|
||||
| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
|
||||
IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
|
||||
),
|
||||
(DnsEvents
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
|
||||
|
|
|
@ -3,7 +3,9 @@ name: Check critical ports opened to the entire internet
|
|||
description: |
|
||||
'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureDiagnostic
|
||||
- connectorId: WAF
|
||||
dataTypes:
|
||||
- AzureDiagnostics
|
||||
tactics:
|
||||
- InitialAccess
|
||||
query: |
|
||||
|
|
|
@ -8,10 +8,6 @@ description: |
|
|||
Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash
|
||||
and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Logstash
|
||||
dataTypes:
|
||||
- AwsBucketAPILogs
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
|
|
|
@ -6,10 +6,6 @@ description: |
|
|||
Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash
|
||||
and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html and ListObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html
|
||||
and ListBucket at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Logstash
|
||||
dataTypes:
|
||||
- AwsBucketAPILogs
|
||||
tactics:
|
||||
- Collection
|
||||
relevantTechniques:
|
||||
|
|
|
@ -10,7 +10,7 @@ requiredDataConnectors:
|
|||
- AuditLogs
|
||||
- connectorId: SecurityEvents
|
||||
dataTypes:
|
||||
- SecurityEvents
|
||||
- SecurityEvent
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
- Syslog
|
||||
|
|
Загрузка…
Ссылка в новой задаче