Expansions strongify (#1329)

* Expansions strongify Mapping stringer identifiers * Fixing these up a bit to simplify and output additional entity mappings * Couple other tweaks Co-authored-by: Shain Wray (MSTIC) <shainw@microsoft.com>
2020-11-22 09:07:55 +02:00 · 2020-11-22 09:07:55 +02:00 · 3a4a479b1c
--- a/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
+++ b/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
@ -20,9 +20,7 @@ relevantTechniques:
  - T1530
  - T1213
  - T1020
-
 query: |
-
  // Replace these with the usename or emails of your VIP users you wish to monitor for.
  let vips = dynamic(['vip1@email.com','vip2@email.com']);
  let timeframe = 1d;
@ -30,3 +28,10 @@ query: |
  | where TimeGenerated > ago(timeframe)
  | where QueryText has_any (vips)
  | project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
+  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
--- a/Detections/OfficeActivity/Office_Uploaded_Executables.yaml
+++ b/Detections/OfficeActivity/Office_Uploaded_Executables.yaml
@ -47,7 +47,21 @@ query: |
  | extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId))
  // identify when UserId is not a match to the specific site url personal folder reference
  | extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) 
-  | summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), 
+  | summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), 
  UserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)
  by OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
-
+  | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url
+  
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
--- a/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml
+++ b/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml
@ -20,7 +20,6 @@ relevantTechniques:
  - T1098
  - T1078
 query: |
-
  let timeframe = 1h;
  let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
  let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
@ -34,9 +33,8 @@ query: |
  // Exclude Remote Desktop Users group: S-1-5-32-555
  | where TargetSid !in ("S-1-5-32-555")
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
-  | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, 
-  GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid,  
-  GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;
+  | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, 
+  GroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;
  let GroupCreated = SecurityEvent
  | where TimeGenerated > ago(timeframe)
  // 4727 - A security-enabled global group was created
@ -44,20 +42,21 @@ query: |
  // 4754 - A security-enabled universal group was created
  | where EventID in ("4727", "4731", "4754")
  | where AccountType =~ "User"
-  | project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, 
-  GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName, 
-  GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;
+  | project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, 
+  GroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;
  GroupCreated
  | join (
  GroupAddition
  ) on GroupSid 
-  | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer
+  | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: GroupCreateSubjectUserSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: HostCustomEntity
--- a/Detections/SecurityEvent/PotentialKerberoast.yaml
+++ b/Detections/SecurityEvent/PotentialKerberoast.yaml
@ -44,23 +44,23 @@ query: |
  let Kerbevent23h = Kerbevent
  | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
  | summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) 
-  by Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
+  by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
  | where ServiceNameCountPrev23h < prev23hThreshold;
  let Kerbevent1h = 
  Kerbevent
  | where TimeGenerated >= ago(endtime)
  | summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) 
-  by Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
+  by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
  Kerbevent1h 
  | join kind=leftanti
  (
  Kerbevent23h
-  ) on TargetUserName
+  ) on TargetUserName, TargetDomainName
  // Threshold value set above is based on testing, this value may need to be changed for your environment.
  | where ServiceNameCountPrev1h > prev1hThreshold
  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, 
-  TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress
+  TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,"\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml
+++ b/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml
@ -19,7 +19,6 @@ relevantTechniques:
  - T1098
  - T1078
 query: |
-
  let timeframe = 1d;
  let spanoftime = 10m;
  let threshold = 0;
@ -28,28 +27,30 @@ query: |
  // A user account was created
  | where EventID == 4720
  | where AccountType =~ "User"
-  | project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, 
-  AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid 
+  | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, 
+  AccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
  | join kind= inner (
    SecurityEvent
    | where TimeGenerated > ago(timeframe) 
    // A user account was deleted 
    | where EventID == 4726
  | where AccountType == "User"
-  | project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, 
-  AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid 
-  ) on Computer, TargetUserName
+  | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, 
+  AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
+  ) on Computer, TargetAccount
  | where deletionTime - creationTime < spanoftime
  | extend TimeDelta = deletionTime - creationTime
  | where tolong(TimeDelta) >= threshold
-  | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, 
-  deletionTime, DeleteEventID, AccountUsedToDelete
+  | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,
+  deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete
  | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: SIDofAccountUsedToCreate
  - entityType: Host
    fieldMappings:
      - identifier: FullName
--- a/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml
+++ b/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml
@ -19,7 +19,6 @@ relevantTechniques:
  - T1098
  - T1078
 query: |
-
  let timeframe = 1d;
  let spanoftime = 10m;
  let threshold = 0;
@ -28,28 +27,30 @@ query: |
  // A user account was enabled
  | where EventID == 4722
  | where AccountType =~ "User"
-  | project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, 
-  AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid 
+  | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, 
+  AccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
  | join kind= inner (
    SecurityEvent
    | where TimeGenerated > ago(timeframe) 
    // A user account was disabled 
    | where EventID == 4725
  | where AccountType == "User"
-  | project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, 
-  AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid 
-  ) on Computer, TargetUserName
-  | where deletionTime - creationTime < spanoftime
-  | extend TimeDelta = deletionTime - creationTime
+  | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, 
+  AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
+  ) on Computer, TargetAccount
+  | where DisableTime - EnableTime < spanoftime
+  | extend TimeDelta = DisableTime - EnableTime
  | where tolong(TimeDelta) >= threshold
-  | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, 
-  deletionTime, DeleteEventID, AccountUsedToDelete
-  | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer
+  | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, 
+  DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable
+  | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: SIDofAccountUsedToEnable
  - entityType: Host
    fieldMappings:
      - identifier: FullName
--- a/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml
+++ b/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml
@ -19,15 +19,14 @@ relevantTechniques:
  - T1098
  - T1078
 query: |
-
  let timeframe = 1d;
  SecurityEvent
  | where TimeGenerated > ago(timeframe) 
  | where EventID == 4720
  | where AccountType == "User"
  | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), 
-  CreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName
-  |join (
+  CreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid
+  | join (
  SecurityEvent 
  | where TimeGenerated > ago(timeframe) 
  | where AccountType == "User"
@ -35,20 +34,21 @@ query: |
  | where EventID == 4732
  //TargetSid is the builin Admins group: S-1-5-32-544
  | where TargetSid == "S-1-5-32-544"
-  | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, 
-  Domain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), 
-  CreatedUserSid = MemberSid
+  | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), 
+  GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid
  )
  on CreatedUserSid
  //Create User first, then the add to the group.
-  | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, 
-  GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid 
+  | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, 
+  GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser 
  | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: CreatedUserSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName
--- a/Detections/SecurityEvent/password_never_expires.yaml
+++ b/Detections/SecurityEvent/password_never_expires.yaml
@ -30,14 +30,16 @@ query: |
  | extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
  // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.  
  | extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
-  | project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
+  | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount
+  | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer

 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: TargetSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName
--- a/Detections/SecurityEvent/password_not_set.yaml
+++ b/Detections/SecurityEvent/password_not_set.yaml
@ -36,14 +36,16 @@ query: |
    | where EventID == 4723
    // Removing Machine Accounts
    | where TargetUserName !endswith "$"
-  ) on TargetUserName, TargetDomainName
-  | project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
+  ) on TargetAccount
+  | project StartTime = TimeGenerated, EventID, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid
+  | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
+      - identifier: SID
+        columnName: TargetSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName