Merge pull request #3035 from javiersoriano/sentinel-training

Adding missing telemetry

Solutions/Training/Azure-Sentinel-Training-Lab/Artifacts/Telemetry/AuditLogs_Hunting.csv

@@ -0,0 +1,6 @@
+OperationName,InitiatingUserOrApp,InitiatingIpAddress,UserAgent,targetDisplayName,targetId,targetType,keyDisplayName,keyType,keyUsage,keyIdentifier,CorrelationId,SourceSystem,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AdditionalDetails,Id,InitiatedBy,LoggedByService,Result,ResultReason,TargetResources,ActivityDisplayName,AADOperationType,Type,target,keyEvents,AccountCustomEntity,IPCustomEntity
+Update application – Certificates and secrets management ,Victim@buildseccxpninja.onmicrosoft.com,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62",purview-spn-user099,020c2630-81fb-4469-9a9c-ce9984a45458,Application,key 2,Password,Verify,11ca002d-d846-4692-8e1f-501db99f485a,9cee9603-bca7-4e62-9634-f1bfdc39ca2f,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_9cee9603-bca7-4e62-9634-f1bfdc39ca2f_1261B_35670955,"{""user"":{""displayName"":null,""userPrincipalName"":""victim@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""45.153.160.2"",""roles"":[],""id"":""34070915-82ff-492a-801f-e90484e79248""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\""]"",""newValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\"",\""[KeyIdentifier=11ca002d-d846-4692-8e1f-501db99f485a,KeyType=Password,KeyUsage=Verify,DisplayName=key 2]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""purview-spn-user099"",""type"":""Application"",""id"":""020c2630-81fb-5678-9a9c-ce9984a45458""}]",Update application – Certificates and secrets management ,Update,AuditLogs,"{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\""]"",""newValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\"",\""[KeyIdentifier=11ca002d-d846-4692-8e1f-501db99f485a,KeyType=Password,KeyUsage=Verify,DisplayName=key 2]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""purview-spn-user099"",""type"":""Application"",""id"":""020c2630-81fb-4469-9a9c-ce9984a45458""}","{""displayName"":""KeyDescription"",""oldValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\""]"",""newValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\"",\""[KeyIdentifier=11ca002d-d846-4692-8e1f-501db99f485a,KeyType=Password,KeyUsage=Verify,DisplayName=key 2]\""]""}",Victim@buildseccxpninja.onmicrosoft.com,
+Update application – Certificates and secrets management ,VadimJ@buildseccxpninja.onmicrosoft.com,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62",EntApp01,a05db9f5-91e6-4bba-860e-cf38984e89fc,Application,PurviewAppAccess,Password,Verify,1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,05cb7360-e689-4ce0-ba41-90aea748f764,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_05cb7360-e689-4ce0-ba41-90aea748f764_40B6F_20567843,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""192.168.5.8"",""roles"":[],""id"":""04dc7a40-2617-4044-b6e7-fdd8771b88a2""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,KeyType=Password,KeyUsage=Verify,DisplayName=PurviewAppAccess]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp01"",""type"":""Application"",""id"":""a05db9f5-91e6-4bba-xxxx-cf38984e89fc""}]",Update application – Certificates and secrets management ,Update,AuditLogs,"{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,KeyType=Password,KeyUsage=Verify,DisplayName=PurviewAppAccess]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp01"",""type"":""Application"",""id"":""a05db9f5-91e6-4bba-860e-cf38984e89fc""}","{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,KeyType=Password,KeyUsage=Verify,DisplayName=PurviewAppAccess]\""]""}",VadimJ@buildseccxpninja.onmicrosoft.com,
+Update application – Certificates and secrets management ,VadimJ@buildseccxpninja.onmicrosoft.com,,python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI),EntApp02,a9929be8-b429-4918-ab41-0604fc9356b4,Application,Key 3,Password,Verify,8c123b9d-31e6-4f50-a21f-88eabc8857e5,c12b4df2-9263-4f72-aeac-a0947ee77886,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_c12b4df2-9263-4f72-aeac-a0947ee77886_T6RO5_48034739,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""185.20.35.69"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=8c123b9d-31e6-4f50-a21f-88eabc8857e5,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp02"",""type"":""Application"",""id"":""a9929be8-b429-4918-ab41-0604fc9356b4""}]",Update application – Certificates and secrets management ,Update,AuditLogs,"{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=8c123b9d-31e6-4f50-a21f-88eabc8857e5,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp02"",""type"":""Application"",""id"":""a9929be8-b429-4918-ab41-0604fc9356b4""}","{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=8c123b9d-31e6-4f50-a21f-88eabc8857e5,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""}",VadimJ@buildseccxpninja.onmicrosoft.com,
+Update application – Certificates and secrets management ,VadimJ@buildseccxpninja.onmicrosoft.com,,python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI),EntApp03,20bdf178-f471-41bd-936f-2d4e0970b66c,Application,Secret,Password,Verify,bd3aa4f4-0737-42be-8506-1d2378a2ff0b,eb556ded-81df-427f-9552-e9a7161db0de,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_eb556ded-81df-427f-9552-e9a7161db0de_DZ0PK_68632943,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""33.88.24.12"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=bd3aa4f4-0737-42be-8506-1d2378a2ff0b,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp03"",""type"":""Application"",""id"":""20bdf178-f471-41bd-936f-2d4e0970b66c""}]",Update application – Certificates and secrets management ,Update,AuditLogs,"{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=bd3aa4f4-0737-42be-8506-1d2378a2ff0b,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp03"",""type"":""Application"",""id"":""20bdf178-f471-41bd-936f-2d4e0970b66c""}","{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=bd3aa4f4-0737-42be-8506-1d2378a2ff0b,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""}",VadimJ@buildseccxpninja.onmicrosoft.com,
+Update application – Certificates and secrets management ,VadimJ@buildseccxpninja.onmicrosoft.com,,python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI),EntApp04,b89ea4f7-3fb2-4731-b1cf-a4ee5d5624b9,Application,Secret,Password,Verify,a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,61576753-576a-47ba-8c1c-69047fd50427,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_61576753-576a-47ba-8c1c-69047fd50427_UETZH_76356316,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""172.19.53.7"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp04"",""type"":""Application"",""id"":""b89ea4f7-3fb2-4731-b1cf-a4ee5d5624b9""}]",Update application – Certificates and secrets management ,Update,AuditLogs,"{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp04"",""type"":""Application"",""id"":""b89ea4f7-3fb2-4731-b1cf-a4ee5d5624b9""}","{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""}",VadimJ@buildseccxpninja.onmicrosoft.com,

Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-4-Incident-Management.md

@@ -116,7 +116,7 @@ We have 2 options to open the workbook:
 M5-close-incident
 
 
-### Exercise 3: Acknowledge a new incident
+### Exercise 3: Handling **"Solorigate Network Beacon"** incident
 
 1. If not already there, navigate to *Incidents* view in Azure Sentinel
 

Solutions/Training/Azure-Sentinel-Training-Lab/README.md

@@ -42,7 +42,7 @@ Below you can see all the [modules](#Modules) that are part of this lab. Althoug
 [**Module 4 – Incident Management**](./Modules/Module-4-Incident-Management.md)
 - [Review Azure Sentinel incident tools and capabilities](./Modules/Module-4-Incident-Management.md#exercise-1-review-azure-sentinel-incident-tools-and-capabilities)
 - [Handling Incident "Sign-ins from IPs that attempt sign-ins to disabled accounts"](./Modules/Module-4-Incident-Management.md#exercise-2-handling-incident-sign-ins-from-ips-that-attempt-sign-ins-to-disabled-accounts)
-- [Acknowledge a new incident](./Modules/Module-4-Incident-Management.md#exercise-3-Acknowledge-a-new-incident)
+- [Handling "Solorigate Network Beacon" incident](./Modules/Module-4-Incident-Management.md#exercise-3-Handling-solorigate-network-beacon-incident)
 - [Hunting for more evidence](./Modules/Module-4-Incident-Management.md#exercise-4-Hunting-for-more-evidence)
 - [Add IOC to Threat Intelligence](./Modules/Module-4-Incident-Management.md#exercise-5-Add-IOC-to-Threat-Intelligence)
 - [Handover incident](./Modules/Module-4-Incident-Management.md#exercise-6-Handover-incident)