Adding additional entity outputs as needed by other tooling and to support future automap of entities similar to Detections

Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml

@@ -3,7 +3,7 @@ name: Account Added to Privileged PIM Group
 description: |
   'Identifies accounts that have been added to a PIM managed privileged group'
 requiredDataConnectors:
-  - connectorId: Azure Active Directory
+  - connectorId: AzureActiveDirectory
     dataTypes:
       - AuditLogs
 tactics:
@@ -21,13 +21,12 @@ query: |
   | extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
   | extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
   | extend Initiatedby = Identity
-  | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
+  | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResultReason, ResourceId, Id
   | sort by TimeGenerated desc
+  | extend timestamp = TimeGenerated, AccountCustomEntity = TargetAccount, ResourceCustomEntity = ResourceId
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: FullName
-        columnName: Initiatedby
       - identifier: FullName
         columnName: TargetAccount
   - entityType: Azure resource

Hunting Queries/AzureActivity/Common_Deployed_Resources.yaml

@@ -18,11 +18,20 @@ query: |
   AzureActivity
   | where OperationNameValue has_any (@"deployments/write", @"virtualMachines/write")  
   | where ActivityStatusValue == "Succeeded"
-  | summarize by bin(TimeGenerated,1h), Resource, ResourceGroup, OperationNameValue, Caller
+  | summarize by bin(TimeGenerated,1d), Resource, ResourceGroup, ResourceId, OperationNameValue, Caller
   | evaluate basket()
   | where isnotempty(Caller) and isnotempty(Resource) and isnotempty(TimeGenerated)
   | order by Percent desc, TimeGenerated desc
-  | extend timestamp = TimeGenerated
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, ResourceCustomEntity = ResourceId
   // remove comments below on filters if the goal is to see more common or more rare Resource, Resource Group and Caller combinations
   //| where Percent <= 40 // <-- more rare
   //| where Percent >= 60 // <-- more common
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: Caller
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml

@@ -1,11 +1,16 @@
 id: 8741deeb-332e-4061-8873-5086040920e3
 name: Anomalous AAD Account Manipulation
 description: |
-  'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy deviates from the user, his peers or the tenant profile.'
+  'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. 
+   Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an 
+   output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy 
+   deviates from the user, his peers or the tenant profile.'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
       - BehaviorAnalytics
+  - connectorId: AzureActiveDirectory
+    dataTypes:
       - AuditLogs
 tactics:
   - Persistence
@@ -13,10 +18,13 @@ relevantTechniques:
   - T1098
 query: |
 
- //Critical Roles: can impersonate  any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
- //High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
- let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
- let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
+ //Critical Roles can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
+ //High Roles are Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
+ let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10',
+ 'd29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
+ let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070',
+ '7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45',
+ '7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
  AuditLogs
  | where OperationName == "Update user"
  | mv-expand AdditionalDetails
@@ -32,7 +40,19 @@ query: |
  | join kind=inner ( BehaviorAnalytics
  ) on $left._ItemId == $right.SourceRecordId
  | where UsersInsights.BlastRadius == "High" or ActivityInsights has "True"
- |  extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
- UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName) 
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName), UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName) 
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous Account Creation.yaml

@@ -6,7 +6,9 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
        - BehaviorAnalytics
-       - AuditLogs
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
 tactics:
   - Persistence
 relevantTechniques:
@@ -25,5 +27,18 @@ query: |
  UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
  | sort by TimeGenerated desc	
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous Activity Role Assignment.yaml

@@ -17,5 +17,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights contains "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Code Execution.yaml

@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Data Access.yaml

@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Defensive Mechanism Modification.yaml

@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Failed Logon.yaml

@@ -6,6 +6,8 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
       - BehaviorAnalytics
+  - connectorId: AzureActiveDirectory
+    dataTypes:
       - SigninLogs
 tactics:
   - CredentialAccess
@@ -21,5 +23,18 @@ query: |
  ) on $left.SourceRecordId == $right._ItemId
  | extend UserPrincipalName = iff(UserPrincipalName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous Geo Location Logon.yaml

@@ -6,6 +6,8 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
       - BehaviorAnalytics
+  - connectorId: AzureActiveDirectory
+    dataTypes:
       - SigninLogs
 tactics:
   - InitialAccess
@@ -21,5 +23,18 @@ query: |
  ) on $left.SourceRecordId == $right._ItemId
  | extend UserPrincipalName = iff(UserPrincipalName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous Login to Devices.yaml

@@ -18,5 +18,14 @@ query: |
  | where ActivityType == "LogOn"
  | where ActionType == "InteractiveLogon"
  | where ActivityInsights contains "True"
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Password Reset.yaml

@@ -6,7 +6,9 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
        - BehaviorAnalytics
-       - AuditLogs
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
 tactics:
   - Impact
 relevantTechniques:
@@ -24,5 +26,18 @@ query: |
  | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
  | sort by TimeGenerated desc
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous RDP Activity.yaml

@@ -17,5 +17,14 @@ query: |
  | where ActivityType == "LogOn"
  | where ActionType == "RemoteInteractiveLogon"
  | where ActivityInsights has "True"
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Resource Access.yaml

@@ -16,5 +16,14 @@ query: |
  | where ActivityType == "LogOn"
  | where ActionType == "ResourceAccess"
  | where ActivityInsights has "True"
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by bin(TimeGenerated,1d), UserName, UserPrincipalName, tostring(UsersInsights), ActivityType, ActionType, tostring(ActivityInsights), SourceIPAddress, SourceIPLocation, SourceDevice, tostring(DevicesInsights)
+ | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress

Hunting Queries/BehaviorAnalytics/Anomalous Role Assignment.yaml

@@ -6,7 +6,9 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
        - BehaviorAnalytics
-       - AuditLogs
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
 tactics:
   - Persistence
 relevantTechniques:
@@ -27,5 +29,18 @@ query: |
  | join kind=inner ( BehaviorAnalytics
  ) on $left._ItemId == $right.SourceRecordId
  | where UsersInsights.BlasrRadius == "High" or ActivityInsights has "True"
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/BehaviorAnalytics/Anomalous Sign-in Activity.yaml

@@ -10,7 +10,9 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
         - BehaviorAnalytics
-        - SigninLogs
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
 tactics:
   - Persistence
 relevantTechniques:
@@ -25,5 +27,18 @@ query: |
  ) on $left.SourceRecordId == $right._ItemId
  | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalNam
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: Azure resource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId

Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml

@@ -44,8 +44,8 @@ query: |
   | where private == false
   | where DestinationIP !in (legacy_ldap)
   | where DeviceAction has_any ("allow", "accept", "allowed")
-  | extend timestamp = TimeGenerated
   | project-reorder TimeGenerated, SourceIP, DestinationIP, ApplicationProtocol, DestinationPort, SentBytes, ReceivedBytes, DeviceAction
+  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP
 entityMappings:
   - entityType: IP
     fieldMappings:

Hunting Queries/CommonSecurityLog/PaloAlto-HighRiskPorts.yaml

@@ -100,7 +100,7 @@ query: |
   ) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol
   | project-away Protocol1, Port
   | order by DeviceName asc, SourceIP asc, DestinationIP asc, DestinationPort asc
-  | extend timestamp = StartTime
+  | extend timestamp = StartTime, IPCustomEntity = SourceIP
 entityMappings:
   - entityType: IP
     fieldMappings:

Hunting Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml

@@ -26,5 +26,13 @@ query: |
   | where tld in~ (abusedTLD)
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NameCount = count() by Name, ClientIP, tld
   | order by NameCount desc
-  | extend timestamp = StartTime, IPCustomEntity = ClientIP
-
+  | extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = Name
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Name
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP

Hunting Queries/DnsEvents/DNS_DomainAnomalousLookupIncrease.yaml

@@ -58,4 +58,15 @@ query: |
   | where LookupCountToday > ( DailyAvgLookupCountOverLastWeek * avglookupThreshold) and LookupCountToday > lookupThreshold
   | project StartTime, EndTime, ClientIP, SecondLevelDomain = Domain , LookupCountToday , DailyAvgLookupCountOverLastWeek, IPAddresses
   | order by LookupCountToday desc nulls last
-  | extend timestamp = StartTime, IPCustomEntity = ClientIP
+  | extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = SecondLevelDomain
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: SecondLevelDomain
+      - identifier: IpAddress
+        columnName: IPAddresses
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP

Hunting Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml

@@ -54,4 +54,15 @@ query: |
   | where LookupCountToday > (DailyAvgLookupCountOverLastWeek * avglookupThreshold) and LookupCountToday >= lookupThreshold
   | project StartTime, EndTime, ClientIP, LookupCountToday, DailyAvgLookupCountOverLastWeek, FullNameLookup, IPAddresses
   | order by LookupCountToday desc nulls last
-  | extend timestamp = StartTime, IPCustomEntity = ClientIP
+  | extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = FullNameLookup
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: FullNameLookup
+      - identifier: IpAddress
+        columnName: IPAddresses
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP

Hunting Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml

@@ -94,3 +94,8 @@ query: |
   | join FilterOnGlobalThreshold_MainTable on ClientIP
   | project StartTime, EndTime, ClientIP, TotalNXLookups, IPthreshold, GlobalThreshold, SLDs_DistinctLookups, UniqueSLDsCount
   | extend timestamp = StartTime, IPCustomEntity = ClientIP
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP

Hunting Queries/DnsEvents/DNS_HighReverseDNSCount.yaml

@@ -14,7 +14,12 @@ query: |
 
   let threshold = 10;
   DnsEvents 
-  | where Name contains "in-addr.arpa" 
+  | where Name has "in-addr.arpa" 
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NameCount = dcount(Name), Names = make_set(Name), ClientIPCount = count() by ClientIP
   | where NameCount > threshold
   | extend timestamp = StartTime, IPCustomEntity = ClientIP
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP

Hunting Queries/DnsEvents/DNS_LongURILookup.yaml

@@ -55,5 +55,18 @@ query: |
   | join kind= leftanti (
       LocalDomains
   ) on SubDomain 
-  | summarize by TimeGenerated, Computer, ClientIP , Name, Urilength
-  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer
+  | summarize by TimeGenerated, Computer, ClientIP, Name, Urilength
+  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, DomainCustomEntity = Name
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Name
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Computer

Hunting Queries/DnsEvents/DNS_WannaCry.yaml

@@ -23,4 +23,17 @@ query: |
   DnsEvents
   | where Name in~ (badDomains)
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Computer, ClientIP, WannaCrypt_Related_Domain = Name
-  | extend timestamp = StartTime, HostCustomEntity = Computer, IPCustomEntity = ClientIP
+  | extend timestamp = StartTime, HostCustomEntity = Computer, IPCustomEntity = ClientIP, DomainCustomEntity = WannaCrypt_Related_Domain
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: WannaCrypt_Related_Domain
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Computer

Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml

@@ -33,6 +33,13 @@ query: |
   | where subdomain_no > 1
   | extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100
   | where percentage_numerical < 50 and percentage_numerical > 5
-  | summarize count(), make_set(Name), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name
+  | summarize count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name, IPAddresses
   | order by count_ asc
-  | extend timestamp = FirstSeen
+  | extend timestamp = FirstSeen, IPCustomEntity = IPAddresses, DomainCustomEntity = Name
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Name
+      - identifier: IpAddress
+        columnName: IPAddresses

Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml

@@ -61,4 +61,9 @@ query: |
   //IndexOf allows us to fuzzy match on the substring
   | extend match = indexof(Name, set_target_encoded)
   | where match > -1
-  | extend timestamp = StartTime
+  | extend timestamp = StartTime, DomainCustomEntity = Name
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Name

Hunting Queries/OfficeActivity/new_sharepoint_downloads_by_UserAgent.yaml

@@ -37,3 +37,9 @@ query: |
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities=count() by UserAgent
   | join (HistoricalActivity) on UserAgent
   | project-away UserAgent1
+  | extend timestamp = StartTime, UserAgentCustomEntity = UserAgent
+entityMappings:
+  - entityType: CloudLogonSession
+    fieldMappings:
+      - identifier: UserAgent
+        columnName: UserAgent

Hunting Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml

@@ -65,7 +65,7 @@ query: |
   // The below line can be removed if the actor is using IPs in one country
   | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold
   | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses
-  | extend timestamp=StartTime
+  | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -74,4 +74,4 @@ entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPs
+        columnName: IPAddresses

Hunting Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml

@@ -13,9 +13,10 @@ relevantTechniques:
   - T1078.004
 query: |
   let starttime = todatetime('{{StartTimeISO}}');
+  let endtime = todatetime('{{EndTimeISO}}');
   let auditLookback = starttime - 14d;
   let ts_data = (SigninLogs
-  | where TimeGenerated between(auditLookback..starttime)
+  | where TimeGenerated between (auditLookback..endtime)
   | where ResultType != 0
   | make-series count() on TimeGenerated step 1h by UserPrincipalName
   | extend series_decompose(count_)
@@ -28,7 +29,14 @@ query: |
   TimeSeriesAlerts
     | join kind=inner (
     SigninLogs
+    | where TimeGenerated between (auditLookback..endtime)
     | summarize ResultTypeCount=count(),ResultTypes=make_set(ResultType), Locations=make_set(Location), Apps=make_set(AppDisplayName), Ips=make_set( IPAddress) by UserPrincipalName, bin(TimeGenerated, 1h)
     ) on UserPrincipalName, TimeGenerated
     | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName
-    | sort by sum_anomalies desc
+    | sort by sum_anomalies desc
+    | extend timestamp = tostring(AnomolyTimes[0]), AccountCustomEntity = UserPrincipalName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: UserPrincipalName

Hunting Queries/SigninLogs/multipleAADAdminRemovals.yaml

@@ -23,8 +23,9 @@ query: |
   | where roleName in~ ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
   | where TargetResources[0].type =~ "User"
   | extend Actor = tostring(TargetResources[0].id), removedUserUpn = tostring(TargetResources[0].userPrincipalName)
-  | summarize removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
   | where removedAccounts > removedAccountsThreshold
+  | extend timestamp = StartTime, AccountCustomEntity = Actor
 entityMappings:
   - entityType: Account
     fieldMappings:

Hunting Queries/SigninLogs/new_locations_azuread_signin.yaml

@@ -21,9 +21,9 @@ query: |
   SigninLogs
   | where TimeGenerated between(starttime..endtime)
   | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), perIdentityAuthCount = count()
-  by Identity, locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/",
+  by UserPrincipalName, locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/",
   tostring(LocationDetails["city"]), ";" , tostring(LocationDetails["geoCoordinates"]))
-  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), distinctAccountCount = count(), identityList=makeset(Identity) by locationString
+  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), distinctAccountCount = count(), identityList=makeset(UserPrincipalName) by locationString
   | extend identityList = iff(distinctAccountCount<10, identityList, "multiple (>10)")
   | join kind= anti (
   SigninLogs
@@ -35,4 +35,10 @@ query: |
   on locationString
   // select threshold above which #new accounts from a new location is deemed suspicious
   | where distinctAccountCount > countThreshold
-  | extend timestamp = StartTime
+  | mv-expand todynamic(identityList)
+  | extend timestamp = StartTime, AccountCustomEntity = identityList
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: identityList

Hunting Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml

@@ -40,13 +40,14 @@ query: |
   | summarize SignInTimestamp=argmin(SignInTimestamp,*) by AppDisplayName, CorrelationId, AccountObjectId, IPAddress, RiskLevelDuringSignIn;
   registeredDevices 
   | join riskySignins on AccountObjectId 
-  | where  DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h 
+  | where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h 
   | project-away AccountObjectId1
+  | extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: AadUserId
-        columnName: AccountObjectId
+        columnName: AccountUpn
   - entityType: IP
     fieldMappings:
       - identifier: Address

Hunting Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml

@@ -39,11 +39,12 @@ query: |
   | join riskySignins on AccountObjectId 
   | where  MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h 
   | project-away AccountObjectId1
+  | extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: AadUserId
-        columnName: AccountObjectId
+        columnName: AccountUpn
   - entityType: IP
     fieldMappings:
       - identifier: Address

Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml

@@ -19,7 +19,7 @@ query: |
   | where ipv4_is_private(cIP) == false and  cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
   | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
   | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
-  | extend timestamp = TimeGenerated
+  | extend timestamp = TimeGenerated, IPCustomEntity = cIP
 entityMappings:
 - entityType: NetworkConnection
   fieldMappings:

Hunting Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml

@@ -37,7 +37,7 @@ query: |
   | extend susPercentage = susCount / allCount * 100
   | where susPercentage > 90
   | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount
-  | extend timestamp = StartTime
+  | extend timestamp = StartTime, IPCustomEntity = AttackerIP
 entityMappings:
 - entityType: NetworkConnection
   fieldMappings:

Hunting Queries/W3CIISLog/RareClientFileAccess.yaml

@@ -34,4 +34,9 @@ query: |
   | where dcount_list_cIP == clientThreshold 
   //Selects user agent strings that are probably browsers, comment out to see all
   | where csUserAgent startswith "Mozilla"
-  | extend timestamp = StartTime
+  | extend timestamp = StartTime, UserAgentCustomEntity = csUserAgent
+entityMappings:
+  - entityType: CloudLogonSession
+    fieldMappings:
+      - identifier: UserAgent
+        columnName: csUserAgent

Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml

@@ -40,4 +40,9 @@ query: |
   //Collection of the exfiltration will occur only once, lets check for 2 accesses in case they mess up
   //Tailor this for hunting
   | where Access <= 2 and dcount_cIP == 1
-  | extend timestamp = StartTime
+  | extend timestamp = StartTime, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Computer