This commit is contained in:
Shain 2023-12-14 22:59:43 -08:00
Родитель 5c5ada4bbd
Коммит 2d8241d2e2
6 изменённых файлов: 5 добавлений и 11 удалений

Просмотреть файл

@ -61,10 +61,10 @@ entityMappings:
fieldMappings:
- identifier: AadUserId
columnName: TargetAadUserId
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: IP
fieldMappings:
- identifier: Address

Просмотреть файл

@ -49,8 +49,6 @@ entityMappings:
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId

Просмотреть файл

@ -61,8 +61,6 @@ entityMappings:
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId

Просмотреть файл

@ -46,8 +46,6 @@ entityMappings:
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: AadUserId
columnName: AadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId

Просмотреть файл

@ -101,7 +101,7 @@ entityMappings:
columnName: TargetDomainName
- entityType: Host
fieldMappings:
- identifier: HostName
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName

Просмотреть файл

@ -39,14 +39,14 @@ query: |
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName)
| extend Account = strcat(AccountDomain, "\\", AccountName)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingProcessAccount
columnName: Account
- identifier: Name
columnName: AccountName
- identifier: NTDomain