Couple more fixes
This commit is contained in:
Родитель
5c5ada4bbd
Коммит
2d8241d2e2
|
@ -61,10 +61,10 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: TargetAadUserId
|
||||
- identifier: AadUserId
|
||||
columnName: InitiatingAadUserId
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: InitiatingAadUserId
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
|
|
|
@ -49,8 +49,6 @@ entityMappings:
|
|||
columnName: InitiatingAccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: InitiatingAccountUPNSuffix
|
||||
- identifier: AadUserId
|
||||
columnName: InitiatingAadUserId
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
|
|
|
@ -61,8 +61,6 @@ entityMappings:
|
|||
columnName: InitiatingAccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: InitiatingAccountUPNSuffix
|
||||
- identifier: AadUserId
|
||||
columnName: InitiatingAadUserId
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
|
|
|
@ -46,8 +46,6 @@ entityMappings:
|
|||
columnName: Name
|
||||
- identifier: UPNSuffix
|
||||
columnName: UPNSuffix
|
||||
- identifier: AadUserId
|
||||
columnName: AadUserId
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
|
|
|
@ -101,7 +101,7 @@ entityMappings:
|
|||
columnName: TargetDomainName
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
- identifier: FullName
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
|
|
|
@ -39,14 +39,14 @@ query: |
|
|||
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
|
||||
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
|
||||
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
|
||||
| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName)
|
||||
| extend Account = strcat(AccountDomain, "\\", AccountName)
|
||||
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: InitiatingProcessAccount
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
|
|
Загрузка…
Ссылка в новой задаче