Merge pull request #303 from Azure/igshapir-fix-yaml-syntax-and-remove-deployed-queries
Fix yaml syntax for queries and remove deployed queries list
This commit is contained in:
shainw
GitHub
Коммит
0e5a4607d5
|
|
@ -1,16 +0,0 @@
|
|||
73ac88c0-f073-4b23-8ac4-9f40ea11308d # Anomalous Azure AD apps based on authentication location
|
||||
ca67c83e-7fff-4127-a3e3-1af66d6d4cad # Processes executed from base-encoded PE files
|
||||
d6190dde-8fd2-456a-ac5b-0a32400b0464 # Processes executed from binaries hidden in Base64 encoded files
|
||||
a1e993de-770a-4434-83e9-9e3b47a6e470 # User and Group enumeration
|
||||
e7642e6e-cf27-46ec-a4b9-e4475228fead # Summary of failed user logons by reason of failure
|
||||
62e2df59-1535-4c8e-ac6c-c91faeed0179 # Hosts with new logons
|
||||
75bf9902-0789-47c1-a5d8-f57046aa72df # Malware in the recycle bin
|
||||
60304ebf-ebdd-4869-a702-e0216d90ab46 # Masquerading files
|
||||
41fa6e2d-afe9-4398-9356-cec3a927e44e # Azure AD signins from new locations
|
||||
513e3a11-e1bb-4cfc-8af9-451da0407e6b # New processes observed in last 24 hours
|
||||
5e76eaf9-79a7-448c-bace-28e5b53b8396 # Summary of users created using uncommon & undocumented commandline switches
|
||||
d83f40fc-bbcc-4020-8d45-ad2d82355cb2 # Powershell downloads
|
||||
36abe031-962d-482e-8e1e-a556ed99d5a3 # Script usage summary (cscript.exe)
|
||||
e8ae1375-4640-430c-ae8e-2514d09c71eb # Sharepoint downloads
|
||||
2ff4b10c-7056-4898-83fd-774104189fd5 # Uncommon processes/files - bottom 5%
|
||||
d0f13bb9-e713-4f89-b610-1806326a1dea # Summary of user logons by logon type
|
||||
|
|
@ -1,14 +1,3 @@
|
|||
// Name: New user agents associated with a clientIP for sharepoint file uploads/downloads
|
||||
//
|
||||
// Id: e8ae1375-4640-430c-ae8e-2514d09c71eb
|
||||
//
|
||||
// Description: New user agents associated with a clientIP for sharepoint file uploads/downloads.
|
||||
//
|
||||
// DataSource: #OfficeActivity
|
||||
//
|
||||
// Tactics: #Exfiltration
|
||||
//
|
||||
|
||||
id: e8ae1375-4640-430c-ae8e-2514d09c71eb
|
||||
name: SharePointFileOperation via clientIP with previously unseen user agents
|
||||
description: |
|
||||
|
|
|
|||
|
|
@ -1,86 +0,0 @@
|
|||
# Use this script to convert the DeployedQueries.txt file with list of queries IDs
|
||||
# to DeployedQueries.json which is consumed by Sentinel Portal
|
||||
|
||||
$QueriesInputFilePath = "DeployedQueries.txt"
|
||||
$QueriesOutputFilePath = "DeployedQueries.json"
|
||||
|
||||
Write-Host -ForegroundColor Cyan "Reading $QueriesInputFilePath"
|
||||
$reader = new-object System.IO.StreamReader("$PSScriptRoot\\$QueriesInputFilePath")
|
||||
|
||||
$deployedIDs = @()
|
||||
$queries = @{}
|
||||
while($null -ne ($line = $reader.ReadLine()))
|
||||
{
|
||||
$id = $line.Substring(0,36).ToLower()
|
||||
$deployedIDs += $id
|
||||
}
|
||||
$reader.Close()
|
||||
|
||||
$pathLength = ${pwd}.Path.Length+1
|
||||
$queriesFiles = Get-ChildItem -Filter *.txt -Recurse | Select-Object -ExpandProperty FullName
|
||||
$queriesFiles += Get-ChildItem -Path '../Detections' -Filter *.txt -Recurse | Select-Object -ExpandProperty FullName
|
||||
|
||||
$env:TZ="UTC"
|
||||
foreach ($query in $queriesFiles) {
|
||||
if ($query -like "*Detections*") {
|
||||
$shortName = "..\" + $query.Substring($pathLength-16)
|
||||
} else {
|
||||
$shortName = $query.Substring($pathLength)
|
||||
}
|
||||
Write-Host -NoNewline " Processing ${shortName} ... "
|
||||
$content = [System.IO.File]::ReadAllText($query)
|
||||
if ($content -imatch "Id: ([a-z0-9-]+)")
|
||||
{
|
||||
$id = $matches[1]
|
||||
$name = ""
|
||||
$description = ""
|
||||
$tactics = @()
|
||||
$queryText = ($content.Split([Environment]::NewLine, [System.StringSplitOptions]::RemoveEmptyEntries) | Where-Object { $_ -notmatch "^\/\/" }) -join "`n"
|
||||
$createdTimeUtc = @(git log --format=%aI ''$query'')[-1]
|
||||
|
||||
if ($content -match "(?m)Name: (.*)\r\n") {
|
||||
$name = $matches[1]
|
||||
}
|
||||
if ($content -match "(?sm)Description: (.*?)\/\/\r\n") {
|
||||
$description = $matches[1] -replace '(?m)^//', '' -replace '[\r\n]', ''
|
||||
}
|
||||
if ($content -match "(?m)Tactics: (.*)\r\n") {
|
||||
$tactics = @(($matches[1].split(',#', [System.StringSplitOptions]::RemoveEmptyEntries).Trim() | Where-Object {$_}).Replace(' ', ''))
|
||||
}
|
||||
|
||||
$queries[$id] = @{
|
||||
id = $id;
|
||||
name = $name;
|
||||
description = $description;
|
||||
tactics = $tactics;
|
||||
query = $queryText;
|
||||
createdTimeUtc = $createdTimeUtc;
|
||||
}
|
||||
Write-Host $id $name
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Host "Skip"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$allQueries = @()
|
||||
foreach ($id in $deployedIDs) {
|
||||
Write-Host -NoNewline -ForegroundColor Magenta " Processing $id ... "
|
||||
$query = $queries[$id]
|
||||
if ($query)
|
||||
{
|
||||
$allQueries += $query
|
||||
Write-Host -ForegroundColor Green $query.name
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Host -ForegroundColor Red "Not found"
|
||||
}
|
||||
}
|
||||
|
||||
Write-Host -ForegroundColor Cyan "Saving: $QueriesOutputFilePath"
|
||||
$allQueries | ConvertTo-Json | Out-File $QueriesOutputFilePath -Encoding utf8
|
||||
|
||||
Write-Host -ForegroundColor Green "Done"
|
||||
Загрузка…
Ссылка в новой задаче