Added new image and modified markdown file

Tools/RuleMigration/Rule Logic Mappings.md

@@ -9,7 +9,7 @@
 |<sub>2.<sub/>    | <sub>**Filter** (or) <sub/> | <img src="media/cf7c4ef2bf29e136988353de1355bec2.png">  |<sub>***Option 1: Use 'in'***<br/><pre>SecurityEvent<br/>\| where SubjectUserName in<br/> ("Adm1","ServiceAccount1","AutomationServices")</pre><br/>***Option 2: Use 'or'***<br/><pre>SecurityEvent<br/>\| where SubjectUserName == "Adm1" or <br/>SubjectUserName == "ServiceAccount1" or <br/>SubjectUserName == "AutomationServices"</pre>***Note:***<br/>Both options are identical in performance, but Option 1 is preferred as it is more user-readable.<br/><br/></sub> | <sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<br/>- [in](https://docs.microsoft.com/azure/data-explorer/kusto/query/inoperator) </sub> 
 |<sub>3.<sub/>   | <sub>**Nested Filter**<sub/>  |  ![](media/e287eb056812ee240fe572a28d809393.png)<br/><br/><br/><sub>__"/All Filters/Soc Filters/Exclude Valid Users":__<br/><br/><sub/>  ![](media/86656cdcececce6b6c45d4db3f8b15e1.png) | <sub>***Option 1: Direct filter with "where" statement***<br/><br/><pre>SecurityEvent<br/>\| where EventID == 4728 <br/>\| where isnotempty(SubjectDomainName) or <br/>isnotempty(TargetDomainName) <br/>\| where SubjectUserName !\~ "AutoMatedService"</pre><br/><br/>***Option 2: Use KQL function***<br/><br/>  1. Save the following query as KQL function with the alias of "ExcludeValidUsers".<br/><pre>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName)<br/>\| where SubjectUserName =\~ "AutoMatedService"<br/>\| project SubjectUserName</pre>2. After that, use the following query to filter "ExcludeValidUsers"<br/><pre>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName) or <br/>isnotempty(TargetDomainName)<br/>\| where SubjectUserName !in (ExcludeValidUsers)</pre><br/>***Option 3: Use parameter function***<br/><br/> 1. Create a parameter function with the name and alias of “ExcludeValidUsers”.<br/>  2. Define the parameters of the function. For example,<br/><pre>Tbl: (TimeGenerated:datatime, Computer:string, <br/>EventID:string, SubjectDomainName:string, <br/>TargetDomainName:string, SubjectUserName:string)</pre>  3. The parameter function has the following query:<pre>Tbl<br/>\| where SubjectUserName !\~ "AutoMatedService"</pre> 4. Invoke the parameter function with the following query:<br/> <pre>let Events = (<br/>SecurityEvent <br/>\| where EventID == 4728<br/>);<br/>ExcludeValidUsers(Events)</pre><br/>***Option 4: Use Join***<br/><br/>Least preferred option. Avoid using 'join' when it can be done with other options.<br/><pre>let events = (<br/>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName) <br/>or isnotempty(TargetDomainName)<br/>);<br/>let ExcludeValidUsers = (<br/>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName)<br/>\| where SubjectUserName =\~ "AutoMatedService"<br/>);<br/>events<br/>\| join kind=leftanti ExcludeValidUsers on <br>\$left.SubjectUserName == \$right.SubjectUserName</pre><br/>***Note:***<br/>- Avoid case-insensitive operators (=\~ and !\~) when possible for query optimization. Use (== and !=) if the value is not case-sensitive.<br/>- Option 1 is preferred due to its simplicity while Option 4 is the least preferred option. Avoid using 'join' when it can be done with other options for better performance.<br/><br/><sub/> |<sub>-   [Sample KQL function.](https://techcommunity.microsoft.com/t5/azure-sentinel/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381)<br/>- [Sample Parameter function.](../../../Downloads/Enriching%20Windows%20Security%20Events%20with%20Parameterized%20Function%20-%20Microsoft%20Tech%20Community)<br/>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [where](https://docs.microsoft.com/azure/data-explorer/kusto/query/whereoperator)</sub>
 |<sub>4.<sub/>   | <sub>**Active list**  (Lookup)<sub/>   | ![](media/513a09f2398d9c89d3c7499f0f54856e.png)   |<sub>This assumes the Watchlist 'Cyber-Ark Exception Accounts' has been created in Azure Sentinel with an 'Account' field.<br/><br/><pre>let Activelist=(<br/>\_GetWatchlist('Cyber-Ark Exception Accounts')<br/>\| project Account );<br/>CommonSecurityLog<br/>\| where DestinationUserName in (Activelist)<br/>\| where DeviceVendor == "Cyber-Ark"<br/>\| where DeviceAction == "Get File Request"<br/>\| where DeviceCustomNumber1 != ""<br/>\| project DeviceAction, DestinationUserName, <br/>TimeGenerated,SourceHostName, <br/>SourceUserName, DeviceEventClassID</pre>**Note:**<br/>Order the filters by starting with the 'where' statement that filter out the most data.<br/><sub/>| <sub>Watchlist is the "Active list" equivalent feature in Azure Sentinel.<br/>Learn more about Watchlist with the following link:<br/>- [Watchlist](https://docs.microsoft.com/azure/sentinel/watchlists)<br/><br/>Watchlist is just one of the methods to implement lookups.<br/>Refer to the below blog post for more options:<br/>- [Implementing Lookups in Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel/ba-p/1091306)<sub/>  
-|<sub>5.<sub/>  | <sub>**Correlation** <br/>(Match a rule condition against a set of base events)<sub/> |  ![](media/765de18fb4d82d41dcf5856b7cde57b4.png) | <sub><pre>let event1 =(<br/>SecurityEvent<br/>\| where EventID == 4728<br/>);<br/>let event2 =(<br/>SecurityEvent<br/>\| where EventID == 4729<br/>);<br/>event1<br/>\| join kind=inner event2 <br/>on \$left.TargetUserName==\$right.TargetUserName</pre>**Note:**<br/>For optimization, make sure the smaller table is on the left side of the join. Also, if the left side is relatively small (up to 100K records), add `hint.strategy=broadcast` for better performance.<sub/> | <sub>Join:<br/>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [Time Window Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/join-timewindow)<br/>- [Shuffle](https://docs.microsoft.com/azure/data-explorer/kusto/query/shufflequery)<br/>- [Broadcast](https://docs.microsoft.com/azure/data-explorer/kusto/query/broadcastjoin)<br/>- [Union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)<br/><br/>Define statement:<br/>- [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement)<br/><br/> Aggregation:<br/>- [make_set](https://docs.microsoft.com/azure/data-explorer/kusto/query/makeset-aggfunction)<br/>- [make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)<br/>- [make_bag](https://docs.microsoft.com/azure/data-explorer/kusto/query/make-bag-aggfunction)<br/>- [pack](https://docs.microsoft.com/azure/data-explorer/kusto/query/packfunction)<sub/>  
+|<sub>5.<sub/>  | <sub>**Correlation** <br/>(Match a rule condition against a set of base events)<sub/> |  ![](media/7328be18fb4d82d41dcf5856b7cde57b4.png) | <sub><pre>let event1 =(<br/>SecurityEvent<br/>\| where EventID == 4728<br/>);<br/>let event2 =(<br/>SecurityEvent<br/>\| where EventID == 4729<br/>);<br/>event1<br/>\| join kind=inner event2 <br/>on \$left.TargetUserName==\$right.TargetUserName</pre>**Note:**<br/>For optimization, make sure the smaller table is on the left side of the join. Also, if the left side is relatively small (up to 100K records), add `hint.strategy=broadcast` for better performance.<sub/> | <sub>Join:<br/>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [Time Window Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/join-timewindow)<br/>- [Shuffle](https://docs.microsoft.com/azure/data-explorer/kusto/query/shufflequery)<br/>- [Broadcast](https://docs.microsoft.com/azure/data-explorer/kusto/query/broadcastjoin)<br/>- [Union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)<br/><br/>Define statement:<br/>- [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement)<br/><br/> Aggregation:<br/>- [make_set](https://docs.microsoft.com/azure/data-explorer/kusto/query/makeset-aggfunction)<br/>- [make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)<br/>- [make_bag](https://docs.microsoft.com/azure/data-explorer/kusto/query/make-bag-aggfunction)<br/>- [pack](https://docs.microsoft.com/azure/data-explorer/kusto/query/packfunction)<sub/>  
 |<sub>6.<sub/>  | <sub>**Correlation** (Time Window Filter)<sub/>  |  ![](media/765de18fb4d82d41dcf5856b7cde57b4.png) |<sub><pre>let waittime = 10m;<br/>let lookback = 1d;<br/>let event1 = (<br/>SecurityEvent<br/>\| where TimeGenerated \> ago(waittime+lookback)<br/>\| where EventID == 4728<br/>\| project event1_time = TimeGenerated, <br/>event1_ID = EventID, event1_Activity= Activity, <br/>event1_Host = Computer, TargetUserName, <br/>event1_UPN=UserPrincipalName, <br/>AccountUsedToAdd = SubjectUserName <br/>);<br/>let event2 = (<br/>SecurityEvent<br/>\| where TimeGenerated \> ago(waittime)<br/>\| where EventID == 4729<br/>\| project event2_time = TimeGenerated, <br/>event2_ID = EventID, event2_Activity= Activity, <br/>event2_Host= Computer, TargetUserName, <br/>event2_UPN=UserPrincipalName,<br/> AccountUsedToRemove = SubjectUserName <br/>);<br/> event1<br/>\| join kind=inner event2 on TargetUserName<br/>\| where event2_time - event1_time \< lookback<br/>\| where tolong(event2_time - event1_time ) \>=0<br/>\| project delta_time = event2_time - event1_time,<br/> event1_time, event2_time,<br/> event1_ID,event2_ID,event1_Activity,<br/> event2_Activity, TargetUserName, AccountUsedToAdd,<br/> AccountUsedToRemove,event1_Host,event2_Host, <br/> event1_UPN,event2_UPN</pre><sub/>|<sub>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [Azure Sentinel Correlation Rules : Join](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500)<sub/>
 |<sub>7.<sub/>  | <sub>**Aggregation**<sub/>  | ![](media/b3a52d1e5d3ef4a33a0504f94f9bf7cc.png) | <sub><pre>SecurityEvent<br/>\| summarize Count = count() by SubjectUserName, <br/>SubjectDomainName<br/>\| where Count \>3</pre><sub/> |<sub>- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)<sub/>