Adding additional entity outputs as needed by other tooling and to support future automap of entities similar to Detections
This commit is contained in:
Родитель
59cb99dec0
Коммит
2229646bff
|
@ -3,7 +3,7 @@ name: Account Added to Privileged PIM Group
|
|||
description: |
|
||||
'Identifies accounts that have been added to a PIM managed privileged group'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Azure Active Directory
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- AuditLogs
|
||||
tactics:
|
||||
|
@ -21,13 +21,12 @@ query: |
|
|||
| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
|
||||
| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
|
||||
| extend Initiatedby = Identity
|
||||
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
|
||||
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResultReason, ResourceId, Id
|
||||
| sort by TimeGenerated desc
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = TargetAccount, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Initiatedby
|
||||
- identifier: FullName
|
||||
columnName: TargetAccount
|
||||
- entityType: Azure resource
|
||||
|
|
|
@ -18,11 +18,20 @@ query: |
|
|||
AzureActivity
|
||||
| where OperationNameValue has_any (@"deployments/write", @"virtualMachines/write")
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| summarize by bin(TimeGenerated,1h), Resource, ResourceGroup, OperationNameValue, Caller
|
||||
| summarize by bin(TimeGenerated,1d), Resource, ResourceGroup, ResourceId, OperationNameValue, Caller
|
||||
| evaluate basket()
|
||||
| where isnotempty(Caller) and isnotempty(Resource) and isnotempty(TimeGenerated)
|
||||
| order by Percent desc, TimeGenerated desc
|
||||
| extend timestamp = TimeGenerated
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, ResourceCustomEntity = ResourceId
|
||||
// remove comments below on filters if the goal is to see more common or more rare Resource, Resource Group and Caller combinations
|
||||
//| where Percent <= 40 // <-- more rare
|
||||
//| where Percent >= 60 // <-- more common
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Caller
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -1,11 +1,16 @@
|
|||
id: 8741deeb-332e-4061-8873-5086040920e3
|
||||
name: Anomalous AAD Account Manipulation
|
||||
description: |
|
||||
'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy deviates from the user, his peers or the tenant profile.'
|
||||
'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups.
|
||||
Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an
|
||||
output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy
|
||||
deviates from the user, his peers or the tenant profile.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- AuditLogs
|
||||
tactics:
|
||||
- Persistence
|
||||
|
@ -13,10 +18,13 @@ relevantTechniques:
|
|||
- T1098
|
||||
query: |
|
||||
|
||||
//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
|
||||
//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
|
||||
let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
|
||||
let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
|
||||
//Critical Roles can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
|
||||
//High Roles are Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
|
||||
let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10',
|
||||
'd29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
|
||||
let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070',
|
||||
'7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45',
|
||||
'7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
|
||||
AuditLogs
|
||||
| where OperationName == "Update user"
|
||||
| mv-expand AdditionalDetails
|
||||
|
@ -32,7 +40,19 @@ query: |
|
|||
| join kind=inner ( BehaviorAnalytics
|
||||
) on $left._ItemId == $right.SourceRecordId
|
||||
| where UsersInsights.BlastRadius == "High" or ActivityInsights has "True"
|
||||
| extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName), UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -6,7 +6,9 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- AuditLogs
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- AuditLogs
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
|
@ -25,5 +27,18 @@ query: |
|
|||
UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| sort by TimeGenerated desc
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -17,5 +17,14 @@ query: |
|
|||
BehaviorAnalytics
|
||||
| where ActionType in(operations)
|
||||
| where ActivityInsights contains "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
|
@ -15,5 +15,14 @@ query: |
|
|||
BehaviorAnalytics
|
||||
| where ActionType in(operations)
|
||||
| where ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
|
|
|
@ -15,5 +15,14 @@ query: |
|
|||
BehaviorAnalytics
|
||||
| where ActionType in(operations)
|
||||
| where ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
|
|
|
@ -15,5 +15,14 @@ query: |
|
|||
BehaviorAnalytics
|
||||
| where ActionType in(operations)
|
||||
| where ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
|
|
|
@ -6,6 +6,8 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- SigninLogs
|
||||
tactics:
|
||||
- CredentialAccess
|
||||
|
@ -21,5 +23,18 @@ query: |
|
|||
) on $left.SourceRecordId == $right._ItemId
|
||||
| extend UserPrincipalName = iff(UserPrincipalName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
||||
|
|
|
@ -6,6 +6,8 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- SigninLogs
|
||||
tactics:
|
||||
- InitialAccess
|
||||
|
@ -21,5 +23,18 @@ query: |
|
|||
) on $left.SourceRecordId == $right._ItemId
|
||||
| extend UserPrincipalName = iff(UserPrincipalName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName contains "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -18,5 +18,14 @@ query: |
|
|||
| where ActivityType == "LogOn"
|
||||
| where ActionType == "InteractiveLogon"
|
||||
| where ActivityInsights contains "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
|
@ -6,7 +6,9 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- AuditLogs
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- AuditLogs
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
|
@ -24,5 +26,18 @@ query: |
|
|||
| extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| sort by TimeGenerated desc
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -17,5 +17,14 @@ query: |
|
|||
| where ActivityType == "LogOn"
|
||||
| where ActionType == "RemoteInteractiveLogon"
|
||||
| where ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
|
@ -16,5 +16,14 @@ query: |
|
|||
| where ActivityType == "LogOn"
|
||||
| where ActionType == "ResourceAccess"
|
||||
| where ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by bin(TimeGenerated,1d), UserName, UserPrincipalName, tostring(UsersInsights), ActivityType, ActionType, tostring(ActivityInsights), SourceIPAddress, SourceIPLocation, SourceDevice, tostring(DevicesInsights)
|
||||
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
|
@ -6,7 +6,9 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- AuditLogs
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- AuditLogs
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
|
@ -27,5 +29,18 @@ query: |
|
|||
| join kind=inner ( BehaviorAnalytics
|
||||
) on $left._ItemId == $right.SourceRecordId
|
||||
| where UsersInsights.BlasrRadius == "High" or ActivityInsights has "True"
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -10,7 +10,9 @@ requiredDataConnectors:
|
|||
- connectorId: BehaviorAnalytics
|
||||
dataTypes:
|
||||
- BehaviorAnalytics
|
||||
- SigninLogs
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- SigninLogs
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
|
@ -25,5 +27,18 @@ query: |
|
|||
) on $left.SourceRecordId == $right._ItemId
|
||||
| extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
|
||||
UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,["Evidence"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
||||
| extend timestamp = TimeGenerated
|
||||
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: UserPrincipalNam
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPAddress
|
||||
- entityType: Azure resource
|
||||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
|
@ -44,8 +44,8 @@ query: |
|
|||
| where private == false
|
||||
| where DestinationIP !in (legacy_ldap)
|
||||
| where DeviceAction has_any ("allow", "accept", "allowed")
|
||||
| extend timestamp = TimeGenerated
|
||||
| project-reorder TimeGenerated, SourceIP, DestinationIP, ApplicationProtocol, DestinationPort, SentBytes, ReceivedBytes, DeviceAction
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
|
|
|
@ -100,7 +100,7 @@ query: |
|
|||
) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol
|
||||
| project-away Protocol1, Port
|
||||
| order by DeviceName asc, SourceIP asc, DestinationIP asc, DestinationPort asc
|
||||
| extend timestamp = StartTime
|
||||
| extend timestamp = StartTime, IPCustomEntity = SourceIP
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
|
|
|
@ -26,5 +26,13 @@ query: |
|
|||
| where tld in~ (abusedTLD)
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NameCount = count() by Name, ClientIP, tld
|
||||
| order by NameCount desc
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP
|
||||
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = Name
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: Name
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
|
@ -58,4 +58,15 @@ query: |
|
|||
| where LookupCountToday > ( DailyAvgLookupCountOverLastWeek * avglookupThreshold) and LookupCountToday > lookupThreshold
|
||||
| project StartTime, EndTime, ClientIP, SecondLevelDomain = Domain , LookupCountToday , DailyAvgLookupCountOverLastWeek, IPAddresses
|
||||
| order by LookupCountToday desc nulls last
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = SecondLevelDomain
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: SecondLevelDomain
|
||||
- identifier: IpAddress
|
||||
columnName: IPAddresses
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
|
@ -54,4 +54,15 @@ query: |
|
|||
| where LookupCountToday > (DailyAvgLookupCountOverLastWeek * avglookupThreshold) and LookupCountToday >= lookupThreshold
|
||||
| project StartTime, EndTime, ClientIP, LookupCountToday, DailyAvgLookupCountOverLastWeek, FullNameLookup, IPAddresses
|
||||
| order by LookupCountToday desc nulls last
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP, DomainCustomEntity = FullNameLookup
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: FullNameLookup
|
||||
- identifier: IpAddress
|
||||
columnName: IPAddresses
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
|
@ -94,3 +94,8 @@ query: |
|
|||
| join FilterOnGlobalThreshold_MainTable on ClientIP
|
||||
| project StartTime, EndTime, ClientIP, TotalNXLookups, IPthreshold, GlobalThreshold, SLDs_DistinctLookups, UniqueSLDsCount
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
|
@ -14,7 +14,12 @@ query: |
|
|||
|
||||
let threshold = 10;
|
||||
DnsEvents
|
||||
| where Name contains "in-addr.arpa"
|
||||
| where Name has "in-addr.arpa"
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NameCount = dcount(Name), Names = make_set(Name), ClientIPCount = count() by ClientIP
|
||||
| where NameCount > threshold
|
||||
| extend timestamp = StartTime, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
|
@ -55,5 +55,18 @@ query: |
|
|||
| join kind= leftanti (
|
||||
LocalDomains
|
||||
) on SubDomain
|
||||
| summarize by TimeGenerated, Computer, ClientIP , Name, Urilength
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer
|
||||
| summarize by TimeGenerated, Computer, ClientIP, Name, Urilength
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, DomainCustomEntity = Name
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: Name
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Computer
|
|
@ -23,4 +23,17 @@ query: |
|
|||
DnsEvents
|
||||
| where Name in~ (badDomains)
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Computer, ClientIP, WannaCrypt_Related_Domain = Name
|
||||
| extend timestamp = StartTime, HostCustomEntity = Computer, IPCustomEntity = ClientIP
|
||||
| extend timestamp = StartTime, HostCustomEntity = Computer, IPCustomEntity = ClientIP, DomainCustomEntity = WannaCrypt_Related_Domain
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: WannaCrypt_Related_Domain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Computer
|
||||
|
|
|
@ -33,6 +33,13 @@ query: |
|
|||
| where subdomain_no > 1
|
||||
| extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100
|
||||
| where percentage_numerical < 50 and percentage_numerical > 5
|
||||
| summarize count(), make_set(Name), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name
|
||||
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name, IPAddresses
|
||||
| order by count_ asc
|
||||
| extend timestamp = FirstSeen
|
||||
| extend timestamp = FirstSeen, IPCustomEntity = IPAddresses, DomainCustomEntity = Name
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: Name
|
||||
- identifier: IpAddress
|
||||
columnName: IPAddresses
|
|
@ -61,4 +61,9 @@ query: |
|
|||
//IndexOf allows us to fuzzy match on the substring
|
||||
| extend match = indexof(Name, set_target_encoded)
|
||||
| where match > -1
|
||||
| extend timestamp = StartTime
|
||||
| extend timestamp = StartTime, DomainCustomEntity = Name
|
||||
entityMappings:
|
||||
- entityType: DNS
|
||||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: Name
|
|
@ -37,3 +37,9 @@ query: |
|
|||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities=count() by UserAgent
|
||||
| join (HistoricalActivity) on UserAgent
|
||||
| project-away UserAgent1
|
||||
| extend timestamp = StartTime, UserAgentCustomEntity = UserAgent
|
||||
entityMappings:
|
||||
- entityType: CloudLogonSession
|
||||
fieldMappings:
|
||||
- identifier: UserAgent
|
||||
columnName: UserAgent
|
|
@ -65,7 +65,7 @@ query: |
|
|||
// The below line can be removed if the actor is using IPs in one country
|
||||
| where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold
|
||||
| project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses
|
||||
| extend timestamp=StartTime
|
||||
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
@ -74,4 +74,4 @@ entityMappings:
|
|||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPs
|
||||
columnName: IPAddresses
|
|
@ -13,9 +13,10 @@ relevantTechniques:
|
|||
- T1078.004
|
||||
query: |
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let auditLookback = starttime - 14d;
|
||||
let ts_data = (SigninLogs
|
||||
| where TimeGenerated between(auditLookback..starttime)
|
||||
| where TimeGenerated between (auditLookback..endtime)
|
||||
| where ResultType != 0
|
||||
| make-series count() on TimeGenerated step 1h by UserPrincipalName
|
||||
| extend series_decompose(count_)
|
||||
|
@ -28,7 +29,14 @@ query: |
|
|||
TimeSeriesAlerts
|
||||
| join kind=inner (
|
||||
SigninLogs
|
||||
| where TimeGenerated between (auditLookback..endtime)
|
||||
| summarize ResultTypeCount=count(),ResultTypes=make_set(ResultType), Locations=make_set(Location), Apps=make_set(AppDisplayName), Ips=make_set( IPAddress) by UserPrincipalName, bin(TimeGenerated, 1h)
|
||||
) on UserPrincipalName, TimeGenerated
|
||||
| summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName
|
||||
| sort by sum_anomalies desc
|
||||
| sort by sum_anomalies desc
|
||||
| extend timestamp = tostring(AnomolyTimes[0]), AccountCustomEntity = UserPrincipalName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: UserPrincipalName
|
|
@ -23,8 +23,9 @@ query: |
|
|||
| where roleName in~ ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
|
||||
| where TargetResources[0].type =~ "User"
|
||||
| extend Actor = tostring(TargetResources[0].id), removedUserUpn = tostring(TargetResources[0].userPrincipalName)
|
||||
| summarize removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
|
||||
| where removedAccounts > removedAccountsThreshold
|
||||
| extend timestamp = StartTime, AccountCustomEntity = Actor
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
|
|
@ -21,9 +21,9 @@ query: |
|
|||
SigninLogs
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), perIdentityAuthCount = count()
|
||||
by Identity, locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/",
|
||||
by UserPrincipalName, locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/",
|
||||
tostring(LocationDetails["city"]), ";" , tostring(LocationDetails["geoCoordinates"]))
|
||||
| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), distinctAccountCount = count(), identityList=makeset(Identity) by locationString
|
||||
| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), distinctAccountCount = count(), identityList=makeset(UserPrincipalName) by locationString
|
||||
| extend identityList = iff(distinctAccountCount<10, identityList, "multiple (>10)")
|
||||
| join kind= anti (
|
||||
SigninLogs
|
||||
|
@ -35,4 +35,10 @@ query: |
|
|||
on locationString
|
||||
// select threshold above which #new accounts from a new location is deemed suspicious
|
||||
| where distinctAccountCount > countThreshold
|
||||
| extend timestamp = StartTime
|
||||
| mv-expand todynamic(identityList)
|
||||
| extend timestamp = StartTime, AccountCustomEntity = identityList
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: identityList
|
|
@ -40,13 +40,14 @@ query: |
|
|||
| summarize SignInTimestamp=argmin(SignInTimestamp,*) by AppDisplayName, CorrelationId, AccountObjectId, IPAddress, RiskLevelDuringSignIn;
|
||||
registeredDevices
|
||||
| join riskySignins on AccountObjectId
|
||||
| where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h
|
||||
| where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h
|
||||
| project-away AccountObjectId1
|
||||
| extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: AccountObjectId
|
||||
columnName: AccountUpn
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
|
|
|
@ -39,11 +39,12 @@ query: |
|
|||
| join riskySignins on AccountObjectId
|
||||
| where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h
|
||||
| project-away AccountObjectId1
|
||||
| extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: AccountObjectId
|
||||
columnName: AccountUpn
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
|
|
|
@ -19,7 +19,7 @@ query: |
|
|||
| where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
|
||||
| where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
|
||||
| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
|
||||
| extend timestamp = TimeGenerated
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = cIP
|
||||
entityMappings:
|
||||
- entityType: NetworkConnection
|
||||
fieldMappings:
|
||||
|
|
|
@ -37,7 +37,7 @@ query: |
|
|||
| extend susPercentage = susCount / allCount * 100
|
||||
| where susPercentage > 90
|
||||
| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount
|
||||
| extend timestamp = StartTime
|
||||
| extend timestamp = StartTime, IPCustomEntity = AttackerIP
|
||||
entityMappings:
|
||||
- entityType: NetworkConnection
|
||||
fieldMappings:
|
||||
|
|
|
@ -34,4 +34,9 @@ query: |
|
|||
| where dcount_list_cIP == clientThreshold
|
||||
//Selects user agent strings that are probably browsers, comment out to see all
|
||||
| where csUserAgent startswith "Mozilla"
|
||||
| extend timestamp = StartTime
|
||||
| extend timestamp = StartTime, UserAgentCustomEntity = csUserAgent
|
||||
entityMappings:
|
||||
- entityType: CloudLogonSession
|
||||
fieldMappings:
|
||||
- identifier: UserAgent
|
||||
columnName: csUserAgent
|
|
@ -40,4 +40,9 @@ query: |
|
|||
//Collection of the exfiltration will occur only once, lets check for 2 accesses in case they mess up
|
||||
//Tailor this for hunting
|
||||
| where Access <= 2 and dcount_cIP == 1
|
||||
| extend timestamp = StartTime
|
||||
| extend timestamp = StartTime, HostCustomEntity = Computer
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Computer
|
Загрузка…
Ссылка в новой задаче