folder restructure for hunting queries, exploration queries, and built-in alerts aka detections. (#12)

2019-01-24 10:30:15 +00:00 · 2019-01-24 10:30:15 +00:00 · 38faeb1656
--- a/Detections/SecurityEvent/base_encoded_pefile.txt
+++ b/Detections/SecurityEvent/base_encoded_pefile.txt
@ -1,5 +1,21 @@
-// Finding base64 encoded PE files header seen in the command line parameters
+// Name: Base64 encoded Windows executables in process commandlines
-// Tags: #Initial Access, #Execution, #Defense Evasion
+
 // Description: finds instances of base64 encoded PE files header seen in process command line parameter.
 // Severity: Medium
 // QueryFrequency: 24
 // QueryPeriod: 24
 // AlertTriggerOperator: gt
 // AlertTriggerThreshold: 0
 // Data source: SecurityEvent
 // Techniques: #Initial Access, #Execution, #Defense Evasion
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
@ -11,4 +27,5 @@ InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",Init
 processEvents};
 ProcessCreationEvents
 | where ProcessCommandLine contains "TVqQAAMAAAAEAAA"
 | where TimeGenerated >= ago(24h)
 | top 1000 by TimeGenerated
--- a/Detections/SecurityEvent/execute_base64_decodedpayload.txt
+++ b/Detections/SecurityEvent/execute_base64_decodedpayload.txt
@ -0,0 +1,40 @@
 // Name: Process executed from binary hidden in Base64 encoded file. 
 // Description:  Encoding malicious software is a technique to obfuscate files from detection.
 //   The first ProcessCommandLine component is looking for Python decoding base64
 //   The second ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool
 //   The third one is looking for Ruby decoding base64
 // Severity: Medium
 // QueryFrequency: 24
 // QueryPeriod: 24
 // AlertTriggerOperator: gt
 // AlertTriggerThreshold: 0
 // Data source: SecurityEvent
 // Techniques: #Initial Access, #Execution, #Defense Evasion
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
 | project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,AccountDomain=SubjectDomainName,
 FileName=tostring(split(NewProcessName, '\\')[-1], // convert SecurityEvents raw schema to get FileName & CommandLine 
 ProcessCommandLine = CommandLine, 
 FolderPath = "",
 InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
 processEvents ;
 };
 ProcessCreationEvents 
 | where TimeGenerated > ago(1d) 
 | where ProcessCommandLine contains ".decode('base64')"
        or ProcessCommandLine contains "base64 --decode"
        or ProcessCommandLine contains ".decode64(" 
 | project TimeGenerated , ComputerName , FileName , ProcessCommandLine , InitiatingProcessCommandLine 
 | top 100 by EventTime 
--- a/Detections/SecurityEvent/malware_in_recyclebin.txt
+++ b/Detections/SecurityEvent/malware_in_recyclebin.txt
@ -1,6 +1,22 @@
-// Finding attackers hiding malware in the recycle bin.
+// Name: Malware in the recycle bin.
 //
 // Description: finding attackers hiding malware in the recycle bin.
 // Read more here: https://azure.microsoft.com/en-us/blog/how-azure-security-center-helps-reveal-a-cyberattack/ 
-// Tags: #Execution, #Defense Evasion
+//
 // Severity: Medium
 //
 // QueryFrequency: 24
 //
 // QueryPeriod: 24
 //
 // AlertTriggerOperator: gt
 //
 // AlertTriggerThreshold: 0
 //
 // Data source: SecurityEvent
 //
 // Techniques: #Execution, #Defense Evasion
 //
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
--- a/Queries/OfficeActivity/office_activity.txt
+++ b/Queries/OfficeActivity/office_activity.txt
--- a/Queries/lateral_movement/user_office_logons.txt
+++ b/Queries/lateral_movement/user_office_logons.txt
--- a/Queries/lateral_movement/hosts_with_new_logons.txt
+++ b/Queries/lateral_movement/hosts_with_new_logons.txt
--- a/Queries/lateral_movement/user_logons.txt
+++ b/Queries/lateral_movement/user_logons.txt
--- a/Queries/lateral_movement/authentications.txt
+++ b/Queries/lateral_movement/authentications.txt
--- a/Functions/AlertsOnComputer.txt
+++ b/Functions/AlertsOnComputer.txt
@ -0,0 +1,7 @@
 // If we also wanted to see what alerts fired on these machines we could extend the above query and join them with the SecurityAlerts table from Azure Security Center.
 // Azure Security Center must be enabled for this query to be valid
 | join (SecurityAlert
                 | extend ExtProps=parsejson(ExtendedProperties)
                 | extend Computer=toupper(tostring(ExtProps["Compromised Host"]))
                 )
 on Computer
--- a/Queries/DNS_Events/DNS_DomainAnomalousLookupIncrease.txt
+++ b/Queries/DNS_Events/DNS_DomainAnomalousLookupIncrease.txt
--- a/Queries/DNS_Events/DNS_FullNameAnomalousLookupIncrease.txt
+++ b/Queries/DNS_Events/DNS_FullNameAnomalousLookupIncrease.txt
--- a/Queries/OfficeActivity/create_office_account.txt
+++ b/Queries/OfficeActivity/create_office_account.txt
@ -0,0 +1,14 @@
 // Name: Summary of users creating new user accounts
 //
 // Description: creating new user accounts is a privileged activity that may be abused by attackers to provide persistent access.
 // Reviewing which user accounts have been created, and by whom, can help detect attacker attempts to provide themselves with backdoor access to data.
 //
 // Data source: OfficeActivity
 //
 // Techniques: #Persistence
 //
 OfficeActivity
 | where Operation == "Add user."
 | project addedBy=UserId, newUser=OfficeObjectId 
 | summarize newUserCount=dcount(newUser) by addedBy
 | render barchart
--- a/Queries/OfficeActivity/multiple_IPs_for_authentication.txt
+++ b/Queries/OfficeActivity/multiple_IPs_for_authentication.txt
@ -1,10 +1,15 @@
-// Name: Accounts and User Agents associated with multiple IPs.
+// Name: Accounts and User Agents associated with multiple IPs in Office Azure Active Directory authentications.
 //
 // Description: summary of users/user agents associated with authentications from multiple IPs within a short timeframe.
 // This query computes and joins two tables to highlight IPs associated with multiple authentications:
 // 1- UserAgents seen in authentications from multiple IPs within short timeframe
 // 2- User Ids seen authenticated from multiple IPs
 // The time window join looks for instances of a small elpased time between logons.
-// Tags: #InitialAccess
+//
 // Data source: OfficeActivity
 //
 // Techniques: #InitialAccess
 //
 let timeRange=ago(7d);
 let officeAuthentications = 
 OfficeActivity
--- a/Queries/OfficeActivity/new_sharepoint_downloads_byIP.txt
+++ b/Queries/OfficeActivity/new_sharepoint_downloads_byIP.txt
@ -0,0 +1,23 @@
 // Name: sharepoint downloads from previously unseen IP address.
 //
 // Description: Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. 
 // In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
 //
 // Data source: OfficeActivity
 //
 // Techniques: #Exfiltration
 //
 let historicalActivity=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 | summarize historicalCount=count() by ClientIP;
 let recentActivity = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 | summarize recentCount=count() by ClientIP;
 recentActivity | join kind= leftanti (
   historicalActivity 
 ) on ClientIP; 
--- a/Queries/OfficeActivity/new_sharepoint_downloads_byUserAgent.txt
+++ b/Queries/OfficeActivity/new_sharepoint_downloads_byUserAgent.txt
@ -0,0 +1,25 @@
 // Name: sharepoint downloads from devices associated with previously unseen user agents.
 //
 // Description: tracking via user agent is one way to differentiate between types of connecting device. 
 // In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. 
 // In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume
 // which could be associated with large-scale document exfiltration.
 //
 // Data source: OfficeActivity
 //
 // Techniques: #Exfiltration
 //
 let historicalActivity=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 | summarize historicalCount=count() by UserAgent;
 let recentActivity = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 | summarize recentCount=count() by UserAgent;
 recentActivity | join kind= leftouter (
   historicalActivity 
 ) on UserAgent; 
--- a/Queries/OfficeActivity/sharepoint_downloads.txt
+++ b/Queries/OfficeActivity/sharepoint_downloads.txt
@ -0,0 +1,22 @@
 // Name: New user agents associated with a clientIP for sharepoint file uploads/downloads
 //
 // Description: New user agents associated with a clientIP for sharepoint file uploads/downloads. 
 //
 // Data source: OfficeActivity
 //
 // Techniques: #Exfiltration
 //
 let historicalUA=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 | summarize by ClientIP, UserAgent;
 let recentUA = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 | summarize by ClientIP, UserAgent;
 recentUA | join kind=leftanti (
   historicalUA 
 ) on ClientIP, UserAgent; 
--- a/Queries/SecurityEvent/cscript_summary.txt
+++ b/Queries/SecurityEvent/cscript_summary.txt
@ -1,5 +1,11 @@
-// cscript script daily summary breakdown
+// Name: cscript script daily summary breakdown
-// Tags: #Execution
+//
 // Description:  breakdown of scripts running in the environment
 //
 // Data source: SecurityEvent
 //
 // Techniques: #Execution
 //
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
--- a/Queries/SecurityEvent/enumeration_user_and_group.txt
+++ b/Queries/SecurityEvent/enumeration_user_and_group.txt
@ -1,5 +1,11 @@
-// The query finds attempts to list users or groups using Net commands
+// Name: Enumeration of users and groups 
-// Tags: #Initial Access #Execution #Persistence #Lateral Movement #Discovery
+
 // Description: finds attempts to list users or groups using the built-in Windows 'net' tool 
 // Data source: SecurityEvent
 // Techniques: #Discovery
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
--- a/Queries/SecurityEvent/masquerading_files.txt
+++ b/Queries/SecurityEvent/masquerading_files.txt
@ -0,0 +1,21 @@
 // Name: masquerading files.
 // Description: Malware writers often use windows system process names for their malicious process names to make them blend 
 // in with other legitimate commands that the Windows system executes.
 // An analyst can create a simple query looking for a process named svchost.exe. 
 // It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process. 
 // The query also filters out the legitimate locations from which svchost.exe is launched.
 //
 // Data source: SecurityEvent
 //
 // Techniques: #Execution, #Defense Evasion
 //
 SecurityEvent
 | where ProcessName contains "svchost.exe"
 | where SubjectUserSid != "S-1-5-18"
 | where SubjectUserSid != "S-1-5-19"
 | where SubjectUserSid != "S-1-5-20"
 | where NewProcessName !contains ":\\Windows\\System32"
 | where NewProcessName !contains ":\\Windows\\Syswow64"
--- a/Queries/SecurityEvent/persistence_create_account.txt
+++ b/Queries/SecurityEvent/persistence_create_account.txt
@ -1,11 +1,16 @@
 // Name: Summary of users created using uncommon & undocumented commandline switches
-// Description: Summarizes users of uncommon & undocumented commandline switches to create persistance
+//
 // Description: Summarizes uses of uncommon & undocumented commandline switches to create persistence
 // User accounts may be created to achieve persistence on a machine.
 // Read more here: https://attack.mitre.org/wiki/Technique/T1136
 // Query for users being created using "net user" command
 // "net user" commands are noisy, so needs to be joined with another signal -
-// e.g. in this example we look  (e.g. /ad instead of /add)
+// e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)
-// Tags: #InitialAccess #Execution #LateralMovement #Persistance #DefenseEvasion 
+//
 // Data source: SecurityEvent
 //
 // Techniques: #Persistence
 //
 SecurityEvent
 | where EventID==4688
 | project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, 
--- a/Queries/SecurityEvent/powershell_downloads.txt
+++ b/Queries/SecurityEvent/powershell_downloads.txt
@ -1,5 +1,11 @@
-// Finds PowerShell execution events that could involve a download.
+// Name: powershell downloads
-// Tags: #Initial Access, #Execution, #Persistence
+//
 // Description: Finds PowerShell execution events that could involve a download
 //
 // Data source: SecurityEvent
 //
 // Techniques: #Initial Access, #Execution, #Persistence
 //
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
--- a/Queries/SecurityEvent/powershell_newencodedscipts.txt
+++ b/Queries/SecurityEvent/powershell_newencodedscipts.txt
@ -1,9 +1,15 @@
-// Identify and decode new encoded powershell scripts this week versus previous fortnight - generic
+// Name: new powershell scripts encoded on the commandline
-// Tags: #Initial Access, #Execution, #Persistence
+//
 // Description: Identify and decode new encoded powershell scripts this week versus previous fortnight
 //
 // Data source: SecurityEvent
 //
 // Techniques: #Initial Access, #Execution, #Persistence
 //
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
-| project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,        AccountDomain=SubjectDomainName,
+| project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,AccountDomain=SubjectDomainName,
  FileName=tostring(split(NewProcessName, '\\')[-1]),
 ProcessCommandLine = CommandLine, 
 InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
--- a/Queries/SecurityEvent/uncommon_processes.txt
+++ b/Queries/SecurityEvent/uncommon_processes.txt
@ -1,15 +1,23 @@
 // Name: uncommon processes - bottom 5%
 //
 // Description: Identify and decode new encoded powershell scripts this week versus previous fortnight
 //
 // Description:
 // Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)
 // These new processes could be benign new programs installed on hosts; 
 // However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. 
 // Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.
-// Uncommon processes/files - bottom 5%
+//
-// Tags: #Initial Access, #Execution, #Persistence, #Privilege Escalation, #Credential Access, #Discovery, #Lateral Movement, #Collection, #Exfiltration, #Command and Control
+// Data source: SecurityEvent
 //
 // Techniques: #Initial Access, #Execution, #Persistence, #Privilege Escalation, #Credential Access, #Discovery, #Lateral Movement, #Collection, #Exfiltration, #Command and Control
 //
 let ProcessCreationEvents=() {
    let processEvents=SecurityEvent
    | where EventID==4688
    // filter out common randomly named files related to MSI installers and browsers
-    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{3}.tmp")
+    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{3}\.tmp")
-    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{4}.tmp")
+    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{4}\.tmp")
    | where not(NewProcessName matches regex @"Installer\\MSI[0-9A-Fa-f]{3}\.tmp")
    | where not(NewProcessName matches regex @"Installer\\MSI[0-9A-Fa-f]{4}\.tmp")
    | project TimeGenerated, 
--- a/Queries/initial_access/anomalous_app_azuread_signin.txt
+++ b/Queries/initial_access/anomalous_app_azuread_signin.txt
@ -1,7 +1,12 @@
-// Name: Anomalous Azure AD apps based on authentication location
+// Name: Anomalous Azure Active Directory apps based on authentication location
 //
 // Description: This query over Azure AD sign-in activity highlights Azure AD apps with 
 // an unusually high ratio of distinct geolocations versus total number of authentications
-// Tags: #InitialAccess
+//
 // Data source: SigninLogs
 //
 // Techniques: #InitialAccess
 //
 let timeRange=ago(14d);
 let azureSignIns = 
 SigninLogs
--- a/Queries/initial_access/new_locations_azuread_signin.txt
+++ b/Queries/initial_access/new_locations_azuread_signin.txt
@ -1,8 +1,12 @@
-// Name: azure AD signins from new locations.
+// Name: Azure Active Directory signins from new locations.
-// Description: New AzureAD signin locations today versus historical Azure AD signin data
+//
-// In the case of password spraying or brute force attacks 
+// Description: New Azure Active Directory signin locations today versus historical Azure Active Directory signin data
-// one might see authentication attempts for many accounts from a new location.
+// In the case of password spraying or brute force attacks one might see authentication attempts for many accounts from a new location.
-// Tags: #InitialAccess
+//
 // Data source: SigninLogs
 //
 // Techniques: #InitialAccess
 //
 SigninLogs
 | where TimeGenerated >= ago(1d)
 | summarize perIdentityAuthCount=count() by Identity,  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";" , tostring(LocationDetails["geoCoordinates"]))
--- a/Queries/initial_access/signinBurstFromMultipleLocations.txt
+++ b/Queries/initial_access/signinBurstFromMultipleLocations.txt
@ -1,7 +1,12 @@
-// Name: Signin burst from multiple locations
+// Name: Azure Active Directory sign-in burst from multiple locations
-// Description: This query over Azure AD sign-in activity highlights accounts associated
+//
-// with multiple authentications from different geographical locations in a short space of time
+// Description: This query over Azure Active Directory sign-in activity highlights accounts associated
-// Tags: #InitialAccess
+// with multiple authentications from different geographical locations in a short space of time.
 //
 // Data source: SigninLogs
 //
 // Techniques: #InitialAccess
 //
 let timeRange=ago(10d);
 let signIns = SigninLogs
 | where TimeGenerated >= timeRange
--- a/Queries/execution/execute_base64_decodedpayload.txt
+++ b/Queries/execution/execute_base64_decodedpayload.txt
@ -1,24 +0,0 @@
 // Process executed from binary hidden in Base64 encoded file.  Encoding malicious software is a technique to obfuscate files from detection.
 //   The first ProcessCommandLine component is looking for Python decoding base64
 //   The second ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool
 //   The third one is looking for Ruby decoding base64
 // Tags: #Initial Access, #Execution, #Defense Evasion
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
 | project  EventTime=TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,        AccountDomain=SubjectDomainName,
 FileName=reverse(substring(reverse(NewProcessName), 0, indexof(reverse(NewProcessName), "\\"))), // convert SecurityEvents raw schema to get FileName & CommandLine 
 ProcessCommandLine = CommandLine, 
 FolderPath = "",
 InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
 processEvents ;
 };
 ProcessCreationEvents 
 | where EventTime > ago(14d) 
 | where ProcessCommandLine contains ".decode('base64')"
        or ProcessCommandLine contains "base64 --decode"
        or ProcessCommandLine contains ".decode64(" 
 | project EventTime , ComputerName , FileName , ProcessCommandLine , InitiatingProcessCommandLine 
 | top 100 by EventTime 
--- a/Queries/execution/masquerading_files.txt
+++ b/Queries/execution/masquerading_files.txt
@ -1,30 +0,0 @@
 // Malware writers often use windows system process names for their malicious process names to make them blend in with other legitimate commands that the Windows system executes.
 // an analyst can create a simple query looking for a process named Svchost.exe. 
 // It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process. 
 // The query also filters out the legitimate locations from which svchost.exe is launched.
 // Tags: #Execution, #Defense Evasion
 SecurityEvent
 | where TimeGenerated >= ago(2d)
 | where ProcessName contains "svchost.exe"
 | where SubjectUserSid != "S-1-5-18"
 | where SubjectUserSid != "S-1-5-19"
 | where SubjectUserSid != "S-1-5-20"
 | where NewProcessName !contains "C:\\Windows\\System32"
 | where NewProcessName !contains "C:\\Windows\\Syswow64"
 // If we also wanted to see what alerts fired on these machines we could extend the above query and join them with the SecurityAlerts table from Azure Security Center.
 // Azure Security Center must be enabled for this query to be valid
 // Tags: #Execution
 SecurityEvent
    | where EventID == 4624
    | where AccountType == "User"
    | where TimeGenerated >= ago(1d)
    | extend Computer = toupper(Computer)
    | summarize IndividualAccounts = dcount(Account) by Computer
    | where IndividualAccounts > 4
 | join (SecurityAlert
                 | extend ExtProps=parsejson(ExtendedProperties)
                 | extend Computer=toupper(tostring(ExtProps["Compromised Host"]))
                 )
 on Computer
--- a/Queries/exfiltration/sharepoint_downloads.txt
+++ b/Queries/exfiltration/sharepoint_downloads.txt
@ -1,59 +0,0 @@
 //Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. 
 //In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
 // Tags: #Exfiltration
 let historicalActivity=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 | summarize historicalCount=count() by ClientIP;
 let recentActivity = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 | summarize recentCount=count() by ClientIP;
 recentActivity | join kind= leftanti (
   historicalActivity 
 ) on ClientIP; 
 //Shows volume of documents uploaded to or downloaded from Sharepoint by user agent. 
 //Tracking via user agent is one way to differentiate between types of connecting device. 
 //In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. 
 //In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
 // Sharepoint - files downloaded/uploaded by new user agent
 // Tags: #Exfiltration
 let historicalActivity=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 | summarize historicalCount=count() by UserAgent;
 let recentActivity = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 | summarize recentCount=count() by UserAgent;
 recentActivity | join kind= leftouter (
   historicalActivity 
 ) on UserAgent; 
 // Sharepoint -New user agents associated with a clientIP for sharepoint file uploads/downloads
 // Tags: #Exfiltration
 let historicalUA=
 OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated between(ago(30d)..ago(7d))
 // DEMO | where TimeGenerated between(datetime(2018-05-25)..datetime(2018-05-29 21:00)) // fake history
 | summarize by ClientIP, UserAgent;
 let recentUA = OfficeActivity
 | where  RecordType == "SharePointFileOperation"
 | where Operation in ("FileDownloaded", "FileUploaded")
 | where TimeGenerated > ago(1d) 
 // DEMO | where TimeGenerated between (datetime(2018-05-29 21:30)..datetime(2018-05-29 21:45)) 
 | summarize by ClientIP, UserAgent;
 recentUA | join kind=leftanti (
   historicalUA 
 ) on ClientIP, UserAgent; 
--- a/Queries/persistance/create_office_account.txt
+++ b/Queries/persistance/create_office_account.txt
@ -1,9 +0,0 @@
 // Name: Summary of users creating new user accounts
 // Description: new user accounts may be an attacker providing themselves with backdoor access for some later date.
 // an account creating further accounts for the first time may be an indication of compromise
 // Tags: #Persistance
 OfficeActivity
 | where Operation == "Add user."
 | project addedBy=UserId, newUser=OfficeObjectId 
 | summarize newUserCount=dcount(newUser) by addedBy
 | render barchart