From 61dde1a424c09fb3009b69a14faf9ea3fe471780 Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:17:00 -0700
Subject: [PATCH 1/8] moving file from parent to under AzureActivity

---
 .../AzureSentinelConnectors_AdministrativeOperations              | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Hunting Queries/{ => AzureActivity}/AzureSentinelConnectors_AdministrativeOperations (100%)

diff --git a/Hunting Queries/AzureSentinelConnectors_AdministrativeOperations b/Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations
similarity index 100%
rename from Hunting Queries/AzureSentinelConnectors_AdministrativeOperations
rename to Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations

From f85c19e4389e9e3fe2841730b4793e1da678840a Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:19:48 -0700
Subject: [PATCH 2/8] adding yaml extension

---
 ...tiveOperations => AnalyticsRulesAdministrativeOperations.yaml} | 0
 ...istrativeOperations => AzureNSG_AdministrativeOperations.yaml} | 0
 ...ions => AzureSentinelConnectors_AdministrativeOperations.yaml} | 0
 ...ration => AzureSentinelWorkbooks_AdministrativeOperation.yaml} | 0
 ...=> AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml} | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename Hunting Queries/AzureActivity/{AnalyticsRulesAdministrativeOperations => AnalyticsRulesAdministrativeOperations.yaml} (100%)
 rename Hunting Queries/AzureActivity/{AzureNSG_AdministrativeOperations => AzureNSG_AdministrativeOperations.yaml} (100%)
 rename Hunting Queries/AzureActivity/{AzureSentinelConnectors_AdministrativeOperations => AzureSentinelConnectors_AdministrativeOperations.yaml} (100%)
 rename Hunting Queries/AzureActivity/{AzureSentinelWorkbooks_AdministrativeOperation => AzureSentinelWorkbooks_AdministrativeOperation.yaml} (100%)
 rename Hunting Queries/AzureActivity/{AzureVirtualNetworkSubnets_AdministrativeOperationset => AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml} (100%)

diff --git a/Hunting Queries/AzureActivity/AnalyticsRulesAdministrativeOperations b/Hunting Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml
similarity index 100%
rename from Hunting Queries/AzureActivity/AnalyticsRulesAdministrativeOperations
rename to Hunting Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml
diff --git a/Hunting Queries/AzureActivity/AzureNSG_AdministrativeOperations b/Hunting Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml
similarity index 100%
rename from Hunting Queries/AzureActivity/AzureNSG_AdministrativeOperations
rename to Hunting Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml
diff --git a/Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations b/Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml
similarity index 100%
rename from Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations
rename to Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml
diff --git a/Hunting Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation b/Hunting Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml
similarity index 100%
rename from Hunting Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation
rename to Hunting Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml
diff --git a/Hunting Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset b/Hunting Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml
similarity index 100%
rename from Hunting Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset
rename to Hunting Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml

From 8fe1192952c7d12e9d728f17e1e44bf80139ac0c Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:21:17 -0700
Subject: [PATCH 3/8] removed customconnector entries from AWS S3

---
 ...WSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml | 4 ----
 ...tAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/Hunting Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml b/Hunting Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml
index 8025abec7d..379a4121b1 100644
--- a/Hunting Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml	
+++ b/Hunting Queries/CustomLogs/AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly.yaml	
@@ -8,10 +8,6 @@ description: |
   Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash 
   and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html'
 severity: Medium
-requiredDataConnectors:
-  - connectorId: Logstash
-    dataTypes:
-      - AwsBucketAPILogs
 queryFrequency: 1h
 queryPeriod: 14d
 triggerOperator: gt
diff --git a/Hunting Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml b/Hunting Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml
index 08490f6f05..feb65c2507 100644
--- a/Hunting Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml	
+++ b/Hunting Queries/CustomLogs/AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP.yaml	
@@ -6,10 +6,6 @@ description: |
   Read more about ingest custom logs using Logstash at https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash 
   and AWS S3 API GetObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html and ListObject at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html
   and ListBucket at https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html'
-requiredDataConnectors:
-  - connectorId: Logstash
-    dataTypes:
-      - AwsBucketAPILogs
 tactics:
   - Collection
 relevantTechniques:

From 170898d52ccd80418373798d5d5151db53a240da Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:22:58 -0700
Subject: [PATCH 4/8] corrected DataType

---
 .../MultipleDataSources/TrackingPasswordChanges.yaml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml b/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml
index e0a6035e9a..5965a65541 100644
--- a/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml	
+++ b/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml	
@@ -10,7 +10,7 @@ requiredDataConnectors:
      - AuditLogs
   - connectorId: SecurityEvents
     dataTypes:
-      - SecurityEvents
+      - SecurityEvent
   - connectorId: Syslog
     dataTypes:
       - Syslog

From 40bc08c19764f81a10829eb446a58d2a2c70fca7 Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:24:40 -0700
Subject: [PATCH 5/8] fixed missing datatype to align with other

---
 Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml b/Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml
index 1d0c8122b6..5cf2718478 100644
--- a/Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml	
+++ b/Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml	
@@ -3,7 +3,9 @@ name: Check critical ports opened to the entire internet
 description: |
   'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
 requiredDataConnectors:
-  - connectorId: AzureDiagnostic
+  - connectorId: WAF
+    dataTypes:
+      - AzureDiagnostics
 tactics:
   - InitialAccess
 query: |

From 5177a432a79c2a8eb3d0b2aaf8e7f763acc71e7f Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:31:25 -0700
Subject: [PATCH 6/8] BugFix- additional field covereage containing IP

---
 Detections/MultipleDataSources/PhosphorusIOCs.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Detections/MultipleDataSources/PhosphorusIOCs.yaml b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
index 459d55074f..0c95e60c52 100644
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@@ -55,7 +55,8 @@ query: |
   | where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
   | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or DNSName in~ (DomainNames)
   | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
-  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName),
+ | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName
+  ),
   (DnsEvents 
   | where TimeGenerated >= ago(timeframe) 
   | extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer

From 1d7db2fe25075d0341742e68b0a4e2532d5e4c41 Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Thu, 23 Jul 2020 16:43:15 -0700
Subject: [PATCH 7/8] bugfix- Phosporous IOC query changes

---
 Detections/MultipleDataSources/PhosphorusIOCs.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/Detections/MultipleDataSources/PhosphorusIOCs.yaml b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
index 0c95e60c52..5d0b3ea6dc 100644
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@@ -50,12 +50,16 @@ query: |
   let IPList = dynamic(["51.91.200.147"]);
   (union isfuzzy=true
   (CommonSecurityLog 
-  | where TimeGenerated >= ago(timeframe) 
+  | where TimeGenerated >= ago(timeframe)
   | parse Message with * '(' DNSName ')' * 
-  | where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
-  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or DNSName in~ (DomainNames)
-  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
- | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName
+  | extend MessageIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
+  | extend RequestURLIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
+  | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) 
+  or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) 
+  or (isnotempty(Message) and MessageIP in (IPList))
+  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch") 
+  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
+  IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
   ),
   (DnsEvents 
   | where TimeGenerated >= ago(timeframe) 

From 34a188a647574d4a2119b0f771df66fc77a07335 Mon Sep 17 00:00:00 2001
From: Ashwin Patil <ashwinpatil@outlook.com>
Date: Fri, 24 Jul 2020 11:05:19 -0700
Subject: [PATCH 8/8] creating IPRegex variable to re-use

---
 Detections/MultipleDataSources/PhosphorusIOCs.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Detections/MultipleDataSources/PhosphorusIOCs.yaml b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
index 5d0b3ea6dc..275b480b33 100644
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@@ -48,12 +48,13 @@ query: |
   "notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
   "sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
   let IPList = dynamic(["51.91.200.147"]);
+  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
   (union isfuzzy=true
   (CommonSecurityLog 
   | where TimeGenerated >= ago(timeframe)
   | parse Message with * '(' DNSName ')' * 
-  | extend MessageIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
-  | extend RequestURLIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
+  | extend MessageIP = extract(IPRegex, 0, Message)
+  | extend RequestURLIP = extract(IPRegex, 0, Message)
   | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) 
   or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) 
   or (isnotempty(Message) and MessageIP in (IPList))