KQL-validations-failures-fixed-for-multiple-solutions

2023-02-06 19:25:04 +05:30 · 2023-02-06 19:25:04 +05:30 · 0b848f0d64
--- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
+++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
@ -2465,16 +2465,6 @@
    "templateName": "UserAccounts-BlockedAccounts.yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "f18c4dfb-4fa6-4a9d-9bd3-f7569d1d685a",
-    "templateName": "User Grant Access and Grants Other Access.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
-  {
-    "id": "f18c4dfb-4fa6-4a9d-9bd3-f7569d1d685a",
-    "templateName": "User Grant Access and Grants Other Access.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "bafc1446-1cc4-4f6d-ad76-1250b8c3b60c",
    "templateName": "unusual-volume-of-file-sharing.yaml",
@ -2490,11 +2480,6 @@
    "templateName": "Unusual Number of Repository Clones.yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "a953f304-12e4-48ae-bedc-d58fb1b0c6a6",
-    "templateName": "UnicodeObfuscationInCommandLine.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "6962473c-bcb8-421d-a0db-826078cad280",
    "templateName": "UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml",
@ -2815,11 +2800,6 @@
    "templateName": "NetworkConnectiontoOMIPorts.yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "19abc034-139e-4e64-a05d-cb07ce8b003b",
-    "templateName": "NetworkConnectionldap_log4j.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "36582cd7-ddd2-43bc-be79-293a61c42cbe",
    "templateName": "MultipleSensitiveLdaps.yaml",
@ -2910,11 +2890,6 @@
    "templateName": "KNOTWEED-AVDetections.yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "2265bbd2-7e97-4d69-bdfc-eeb646730d8f",
-    "templateName": "JiraUserIPs.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "72e7f2c9-aba5-427e-b2ec-f68c191010ec",
    "templateName": "insider-threat-detection-queries (3).yaml",
@ -3100,11 +3075,6 @@
    "templateName": "Discorddownloadinvokedfromcmdline(ASIMVersion).yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "83d5652c-025c-4cee-9f33-3bc114648859",
-    "templateName": "DigitalGuardianIncidentsByUser.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "fbcb7ff3-0d5a-4565-9caa-fc454138081f",
    "templateName": "devices_with_vuln_and_users_received_payload.yaml",
@ -3185,16 +3155,6 @@
    "templateName": "CloudflareTopNetworkRules.yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "064b1051-d8ac-4ef2-a537-30d32b4c27d9",
-    "templateName": "CiscoSEGUsersReceivedSpam.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
-  {
-    "id": "7895ffa5-cd61-43cf-89e5-9630e79685fd",
-    "templateName": "CiscoSEGSpamMails.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "cdac93ef-56c0-45bf-9e7f-9cbf0ad034234",
    "templateName": "Check for spoofing attempts on the domain with Authentication failures.yaml",
@ -3220,11 +3180,6 @@
    "templateName": "c2-lookup-from-nonbrowser[Nobelium] (1).yaml",
    "validationFailReason": "Temporarily Added for Hunting Query validation"
  },
-  {
-    "id": "949aec39-304d-4fba-94b3-15337d05e3f1",
-    "templateName": "BoxAdminIpAddress.yaml",
-    "validationFailReason": "Temporarily Added for Hunting Query validation"
-  },
  {
    "id": "4d17ae75-87e8-4272-9aec-16448b1430bc",
    "templateName": "Baseline Comparison.yaml",
--- a/Queries/GitHub/User
+++ b/Queries/GitHub/User
@ -22,5 +22,5 @@ query: |
    | where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
    | distinct ImpactedUser, TimeGenerated, Actor
    | project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor
-  ) on $right.secondAdderUser == $left.firstUserAdded
+  ) on $left.secondUserAdded == $right.firstUserAdded
  | where secondEventTime between (firstEventTime .. (firstEventTime + 1h))
--- a/Queries/NetworkConnectionldap_log4j.yaml
+++ b/Queries/NetworkConnectionldap_log4j.yaml
@ -35,7 +35,7 @@ query: |
  (VMConnection
  | where ProcessName has_any ("javaw","java")
  | where DestinationPort in ('389', '1389')
-  | where ipv4_is_private(DestinationIP) == false
+  | where ipv4_is_private(DestinationIp) == false
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by TimeGenerated, SourceIP = SourceIp , DestinationIP = DestinationIp, DestinationPort,  BytesReceived, BytesSent, ProcessName, Computer
  | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer
  )
--- a/Solutions/AtlassianJiraAudit/Hunting
+++ b/Solutions/AtlassianJiraAudit/Hunting
@ -15,7 +15,7 @@ query: |
  JiraAudit
  | where TimeGenerated > ago(24h)
  | where isnotempty(SrcIpAddr)
-  | where isnotempty(USerName)
+  |  where isnotempty(UserName)
  | summarize ip_list = makeset(SrcIpAddr) by UserName
  | extend AccountCustomEntity = UserName
 entityMappings:
--- a/Queries/BoxAdminIpAddress.yaml
+++ b/Queries/BoxAdminIpAddress.yaml
@ -16,7 +16,7 @@ query: |
  BoxEvents
  | where TimeGenerated > ago(30d)
  | where EventType =~ 'ADMIN_LOGIN'
-  | summarize makeset(SrcIpAddr) by SourceLogin;
+  | summarize makeset(SrcIpAddr) by SourceLogin
  | extend AccountCustomEntity = SourceLogin
 entityMappings:
  - entityType: Account
--- a/Queries/CiscoSEGSpamMails.yaml
+++ b/Queries/CiscoSEGSpamMails.yaml
@ -18,8 +18,8 @@ query: |
  | where SimplifiedDeviceAction =~ 'QUARANTINED'
  | extend act_det = extract(@'ESAFinalActionDetails":"(.*?)"', 1, tostring(AdditionalFields))
  | where act_det has 'To SPAM'
-  | summarize count by SrcIpAddr
-  | extend IPCustomEntity = SrcIpAddr
+  | summarize count() by SourceIP
+  | extend IPCustomEntity = SourceIP
 entityMappings:
  - entityType: IP
    fieldMappings:
--- a/Queries/CiscoSEGUsersReceivedSpam.yaml
+++ b/Queries/CiscoSEGUsersReceivedSpam.yaml
@ -18,7 +18,7 @@ query: |
  | where SimplifiedDeviceAction =~ 'QUARANTINED'
  | extend act_det = extract(@'ESAFinalActionDetails":"(.*?)"', 1, tostring(AdditionalFields))
  | where act_det has 'To SPAM'
-  | summarize count by DstUserName
+  | summarize count() by DstUserName
  | extend AccountCustomEntity = DstUserName
 entityMappings:
  - entityType: Account
--- a/Queries/DigitalGuardianIncidentsByUser.yaml
+++ b/Queries/DigitalGuardianIncidentsByUser.yaml
@ -15,7 +15,7 @@ query: |
  DigitalGuardianDLPEvent
  | where TimeGenerated > ago(24h)
  | where isnotempty(IncidentStatus)
-  | where inc_act has 'New'
+  | where IncidentStatus has 'New'
  | summarize makeset(IncidentsUrl) by SrcUserName
  | extend AccountCustomEntity = SrcUserName
 entityMappings:
--- a/Queries/UnicodeObfuscationInCommandLine.yaml
+++ b/Queries/UnicodeObfuscationInCommandLine.yaml
@ -36,7 +36,7 @@ query: |
  | extend ASCII = isascii(CommandLine)
  | where ASCII == false
  | extend Account = ActorUsername, Computer = DvcHostname))
-  | summarize Computers=make_set(Computer), Users=make_set(Account), NumberOfTimesRun = count(TimeGenerated), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine
+  | summarize Computers=make_set(Computer), Users=make_set(Account), NumberOfTimesRun = dcount(TimeGenerated), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine
  | extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users)
-  | project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfComputers, NumberOfTimesRun, Computers, Users
+  | project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfTimesRun, Computers, Users
  | extend timestamp = FirstSeen
--- a/Solutions/GitHub/Hunting
+++ b/Solutions/GitHub/Hunting
@ -22,5 +22,5 @@ query: |
    | where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
    | distinct ImpactedUser, TimeGenerated, Actor
    | project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor
-  ) on $right.secondAdderUser == $left.firstUserAdded
+  ) on $left.secondUserAdded == $right.firstUserAdded
  | where secondEventTime between (firstEventTime .. (firstEventTime + 1h))