Reverting Hunting queries and Analytic Rules for cloud service

This commit is contained in:
v-sabiraj 2022-12-13 18:27:21 +05:30
Родитель 809392cf9b
Коммит 3a86198e2a
25 изменённых файлов: 416 добавлений и 460 удалений

Просмотреть файл

@ -1174,26 +1174,6 @@
"templateName": "UserAgentSearch_log4j.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "e2ed38ed-c1df-4258-8da0-f5e94153359b",
"templateName": "Malicious_Inbox_Rule.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "18583af2-43ca-46af-9bcf-3a725d5bbc35",
"templateName": "Office_MailForwarding.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "2ac22977-a8d6-41e3-94a4-0d17f55aec35",
"templateName": "office_policytampering.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
"templateName": "Anomalous_Listing_Of_Storage_Keys.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
"templateName": "AzureKeyVaultAccessManipulation.yaml",
@ -1204,21 +1184,6 @@
"templateName": "AzureResourceAssignedPublicIP.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "d5a24602-f84e-43a4-bcf0-4a7a02f02930",
"templateName": "Creating_Anomalous_Number_Of_Resources.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "ccbf00fb-216c-4886-9038-27d163081ab1",
"templateName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "0b9c7ecb-9191-423a-8a9a-94ad492f595f",
"templateName": "OfficeMailForwarding_hunting.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "216630a8-b01a-4028-a987-659eabc6c3bc",
"templateName": "AdFind_Usage.yaml",

Просмотреть файл

@ -208,15 +208,8 @@
"85695071-6425-4ebf-a2f9-e7a827569848",
"9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3",
"939d1daa-9ee5-43ae-ae96-12c30c41e528",
"e2ed38ed-c1df-4258-8da0-f5e94153359b",
"18583af2-43ca-46af-9bcf-3a725d5bbc35",
"2ac22977-a8d6-41e3-94a4-0d17f55aec35",
"f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
"b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
"fedcfc8f-8bc5-463e-ad35-ae68790f7d65",
"d5a24602-f84e-43a4-bcf0-4a7a02f02930",
"ccbf00fb-216c-4886-9038-27d163081ab1",
"0b9c7ecb-9191-423a-8a9a-94ad492f595f",
"216630a8-b01a-4028-a987-659eabc6c3bc",
"e7494988-910e-49a2-83fb-0d3ff0a3bb3e",
"81becf02-9f95-456c-8dba-661f5383dcf2",

Просмотреть файл

@ -235,15 +235,8 @@
"85695071-6425-4ebf-a2f9-e7a827569848",
"9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3",
"939d1daa-9ee5-43ae-ae96-12c30c41e528",
"e2ed38ed-c1df-4258-8da0-f5e94153359b",
"18583af2-43ca-46af-9bcf-3a725d5bbc35",
"2ac22977-a8d6-41e3-94a4-0d17f55aec35",
"f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
"b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
"fedcfc8f-8bc5-463e-ad35-ae68790f7d65",
"d5a24602-f84e-43a4-bcf0-4a7a02f02930",
"ccbf00fb-216c-4886-9038-27d163081ab1",
"0b9c7ecb-9191-423a-8a9a-94ad492f595f",
"216630a8-b01a-4028-a987-659eabc6c3bc",
"e7494988-910e-49a2-83fb-0d3ff0a3bb3e",
"81becf02-9f95-456c-8dba-661f5383dcf2",

Просмотреть файл

@ -1,4 +1,54 @@
id: e2ed38ed-c1df-4258-8da0-f5e94153359b
name: Malicious Inbox Rule
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a
name: Malicious Inbox Rule
description: |
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1078
query: |
let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
OfficeActivity
| where Operation =~ "New-InboxRule"
| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage"
| extend Events=todynamic(Parameters)
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords)
or BodyContainsWords has_any (Keywords)
or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,4 +1,54 @@
id: 18583af2-43ca-46af-9bcf-3a725d5bbc35
name: Multiple users email forwarded to same destination
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: 871ba14c-88ef-48aa-ad38-810f26760ca3
name: Multiple users email forwarded to same destination
description: |
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
let queryfrequency = 1d;
let queryperiod = 7d;
OfficeActivity
| where TimeGenerated > ago(queryperiod)
| where OfficeWorkload =~ "Exchange"
//| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| extend DestinationMailAddress = tolower(case(
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
""))
| where isnotempty(DestinationMailAddress)
| mv-expand split(DestinationMailAddress, ";")
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
| mv-expand UserId to typeof(string)
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,4 +1,57 @@
id: 2ac22977-a8d6-41e3-94a4-0d17f55aec35
name: Office policy tampering
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
name: Office policy tampering
description: |
'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
An adversary may use this technique to evade detection or avoid other policy based defenses.
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1562
query: |
let opList = OfficeActivity
| summarize by Operation
//| where Operation startswith "Remove-" or Operation startswith "Disable-"
| where Operation has_any ("Remove", "Disable")
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
| summarize make_set(Operation);
OfficeActivity
// Only admin or global-admin can disable/remove policy
| where RecordType =~ "ExchangeAdmin"
| where UserType in~ ("Admin","DcAdmin")
// Pass in interesting Operation list
| where Operation in~ (opList)
| extend ClientIPOnly = case(
ClientIP has ".", tostring(split(ClientIP,":")[0]),
ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
ClientIP
)
| extend Port = case(
ClientIP has ".", (split(ClientIP,":")[1]),
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
ClientIP
)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Просмотреть файл

@ -1,4 +1,44 @@
id: f43cd5a6-69fe-4a2b-917e-b514e1b24ab1
name: Azure storage key enumeration
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
name: Azure storage key enumeration
description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional
secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
type, it would be interesting to see if the account performing this activity or the source IP address from
which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single
operations do not appear in this list as we cannot learn from it their normal activity (only based on a single
event). The activities for listing storage account keys is correlated with this learned
clusters of expected activities and activity which is not expected is returned.'
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| join kind= inner (
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,4 +1,27 @@
id: d5a24602-f84e-43a4-bcf0-4a7a02f02930
name: Creation of an anomalous number of resources
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b
name: Creation of an anomalous number of resources
description: |
'Looks for anomalous number of resources creation or deployment activities in azure activity log.
It is best to run this query on a look back period which is at least 7 days.'
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
tactics:
- Impact
relevantTechniques:
- T1496
query: |
AzureActivity
| where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write")
| where ActivityStatusValue == "Succeeded"
| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
| extend AccountCustomEntity = Caller
| extend timestamp = todatetime(EventSubmissionTimestamp[7])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity

Просмотреть файл

@ -1,4 +1,41 @@
id: ccbf00fb-216c-4886-9038-27d163081ab1
name: Mail redirect via ExO transport rule
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: 9891684a-1e3a-4546-9403-3439513cbc70
name: Mail redirect via ExO transport rule
description: |
'Identifies when Exchange Online transport rule configured to forward emails.
This could be an adversary mailbox configured to collect mail from multiple user accounts.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Exchange)
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| extend RuleName = case(
Operation =~ "Set-TransportRule", OfficeObjectId,
Operation =~ "New-TransportRule", ParsedParameters.Name,
"Unknown")
| mv-expand ExpandedParameters = todynamic(Parameters)
| where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
| extend RedirectTo = ExpandedParameters.Value
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,4 +1,51 @@
id: 0b9c7ecb-9191-423a-8a9a-94ad492f595f
name: Office Mail Forwarding - Hunting Version
description: |
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
name: Office Mail Forwarding - Hunting Version
description: |
'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if
it is being forwarded to external domains as well.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Exchange)
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
OfficeActivity
| where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress')
or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo'))
| extend parsed=parse_json(Parameters)
| extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial )
| parse fwdingDestination with * '@' ForwardedtoDomain
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0]))
| where ForwardedtoDomain !contains subDomain
| extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Port = case(
ClientIP has ".", (split(ClientIP,":")[1]),
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
ClientIP
)
| project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n 4. [Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\r\n \r\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n1.[ Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\r\n \r\n2.[ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \r\n \r\n3.[ Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \r\n \r\n4.[ Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \r\n \r\n **Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

Просмотреть файл

@ -78,7 +78,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Hunting Query 1 with template",
"displayName": "Attacker Tools Threat Protection Essentials Hunting Query template"
"displayName": "Attacker Tools Threat Protection Essentials HQ template"
}
},
{
@ -170,7 +170,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Hunting Query 2 with template",
"displayName": "Attacker Tools Threat Protection Essentials Hunting Query template"
"displayName": "Attacker Tools Threat Protection Essentials HQ template"
}
},
{
@ -262,7 +262,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 1 with template",
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
"displayName": "Attacker Tools Threat Protection Essentials AR template"
}
},
{
@ -405,7 +405,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 2 with template",
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
"displayName": "Attacker Tools Threat Protection Essentials AR template"
}
},
{
@ -531,7 +531,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 3 with template",
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
"displayName": "Attacker Tools Threat Protection Essentials AR template"
}
},
{
@ -657,7 +657,7 @@
},
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 4 with template",
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
"displayName": "Attacker Tools Threat Protection Essentials AR template"
}
},
{
@ -839,6 +839,31 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId4')]",
"version": "[variables('analyticRuleVersion4')]"
},
{
"criteria": [
{
"contentId": "azuresentinel.azure-sentinel-solution-securityevents",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-dns",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents",
"kind": "Solution",
"version": "2.0.0"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory",
"kind": "Solution",
"version": "2.0.5"
}
],
"Operator": "OR"
}
]
},

Просмотреть файл

@ -1,54 +0,0 @@
id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a
name: Malicious Inbox Rule
description: |
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1078
query: |
let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
OfficeActivity
| where Operation =~ "New-InboxRule"
| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage"
| extend Events=todynamic(Parameters)
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords)
or BodyContainsWords has_any (Keywords)
or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,54 +0,0 @@
id: 871ba14c-88ef-48aa-ad38-810f26760ca3
name: Multiple users email forwarded to same destination
description: |
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
let queryfrequency = 1d;
let queryperiod = 7d;
OfficeActivity
| where TimeGenerated > ago(queryperiod)
| where OfficeWorkload =~ "Exchange"
//| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| extend DestinationMailAddress = tolower(case(
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
""))
| where isnotempty(DestinationMailAddress)
| mv-expand split(DestinationMailAddress, ";")
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
| mv-expand UserId to typeof(string)
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,57 +0,0 @@
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
name: Office policy tampering
description: |
'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
An adversary may use this technique to evade detection or avoid other policy based defenses.
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1562
query: |
let opList = OfficeActivity
| summarize by Operation
//| where Operation startswith "Remove-" or Operation startswith "Disable-"
| where Operation has_any ("Remove", "Disable")
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
| summarize make_set(Operation);
OfficeActivity
// Only admin or global-admin can disable/remove policy
| where RecordType =~ "ExchangeAdmin"
| where UserType in~ ("Admin","DcAdmin")
// Pass in interesting Operation list
| where Operation in~ (opList)
| extend ClientIPOnly = case(
ClientIP has ".", tostring(split(ClientIP,":")[0]),
ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
ClientIP
)
| extend Port = case(
ClientIP has ".", (split(ClientIP,":")[1]),
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
ClientIP
)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Просмотреть файл

@ -1,44 +0,0 @@
id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
name: Azure storage key enumeration
description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional
secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
type, it would be interesting to see if the account performing this activity or the source IP address from
which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single
operations do not appear in this list as we cannot learn from it their normal activity (only based on a single
event). The activities for listing storage account keys is correlated with this learned
clusters of expected activities and activity which is not expected is returned.'
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| join kind= inner (
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,27 +0,0 @@
id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b
name: Creation of an anomalous number of resources
description: |
'Looks for anomalous number of resources creation or deployment activities in azure activity log.
It is best to run this query on a look back period which is at least 7 days.'
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
tactics:
- Impact
relevantTechniques:
- T1496
query: |
AzureActivity
| where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write")
| where ActivityStatusValue == "Succeeded"
| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
| extend AccountCustomEntity = Caller
| extend timestamp = todatetime(EventSubmissionTimestamp[7])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity

Просмотреть файл

@ -1,41 +0,0 @@
id: 9891684a-1e3a-4546-9403-3439513cbc70
name: Mail redirect via ExO transport rule
description: |
'Identifies when Exchange Online transport rule configured to forward emails.
This could be an adversary mailbox configured to collect mail from multiple user accounts.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Exchange)
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| extend RuleName = case(
Operation =~ "Set-TransportRule", OfficeObjectId,
Operation =~ "New-TransportRule", ParsedParameters.Name,
"Unknown")
| mv-expand ExpandedParameters = todynamic(Parameters)
| where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
| extend RedirectTo = ExpandedParameters.Value
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,51 +0,0 @@
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
name: Office Mail Forwarding - Hunting Version
description: |
'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if
it is being forwarded to external domains as well.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Exchange)
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
OfficeActivity
| where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress')
or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo'))
| extend parsed=parse_json(Parameters)
| extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial )
| parse fwdingDestination with * '@' ForwardedtoDomain
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0]))
| where ForwardedtoDomain !contains subDomain
| extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Port = case(
ClientIP has ".", (split(ClientIP,":")[1]),
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
ClientIP
)
| project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

Просмотреть файл

@ -73,7 +73,7 @@
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 1 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
"displayName": "Network Threat Protection Essentials HQ template"
}
},
{
@ -165,7 +165,7 @@
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 2 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
"displayName": "Network Threat Protection Essentials HQ template"
}
},
{
@ -257,7 +257,7 @@
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 3 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
"displayName": "Network Threat Protection Essentials HQ template"
}
},
{
@ -349,7 +349,7 @@
},
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 1 with template",
"displayName": "Network Threat Protection Essentials Analytics Rule template"
"displayName": "Network Threat Protection Essentials AR template"
}
},
{
@ -502,7 +502,7 @@
},
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 2 with template",
"displayName": "Network Threat Protection Essentials Analytics Rule template"
"displayName": "Network Threat Protection Essentials AR template"
}
},
{
@ -674,6 +674,56 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId2')]",
"version": "[variables('analyticRuleVersion2')]"
},
{
"criteria": [
{
"contentId": "azuresentinel.azure-sentinel-solution-office365",
"kind": "Solution",
"version": "2.0.0"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-dns",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "sentinel4azurefirewall.sentinel4azurefirewall",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents",
"kind": "Solution",
"version": "2.0.0"
},
{
"contentId": "zscaler1579058425289.zscaler_internet_access_mss",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
"kind": "Solution",
"version": "1.0.5"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate",
"kind": "Solution",
"version": "1.0.5"
},
{
"contentId": "checkpoint.checkpoint-sentinel-solutions",
"kind": "Solution",
"version": "1.0.0"
}
],
"Operator": "OR"
}
]
},

Просмотреть файл

@ -743,24 +743,6 @@
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Analytic%20Rules"
},
{
"FileName": "Malicious_Inbox_Rule.yaml.yaml",
"DetectionId": "7b907bf7-77d4-41d0-a208-5643ff75bf9a",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
},
{
"FileName": "Office_MailForwarding.yaml",
"DetectionId": "871ba14c-88ef-48aa-ad38-810f26760ca3",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
},
{
"FileName": "office_policytampering.yaml",
"DetectionId": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
},
{
"FileName": "AdFind_Usage.yaml",
"DetectionId": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd",

Просмотреть файл

@ -593,12 +593,6 @@
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AWSCloudTrail/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/Hunting%20Queries/"
},
{
"FileName": "Anomalous_Listing_Of_Storage_Keys.yaml",
"DetectionId": "5d2399f9-ea5c-4e67-9435-1fba745f3a39",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
},
{
"FileName": "AzureKeyVaultAccessManipulation.yaml",
"DetectionId": "8eff7055-9138-4edc-b8f0-48ea27e23c3c",
@ -611,24 +605,6 @@
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
},
{
"FileName": "Creating_Anomalous_Number_Of_Resources.yaml",
"DetectionId": "a09e6368-065b-4f1e-a4ce-b1b3a64b493b",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
},
{
"FileName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml",
"DetectionId": "9891684a-1e3a-4546-9403-3439513cbc70",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
},
{
"FileName": "OfficeMailForwarding_hunting.yaml",
"DetectionId": "d49fc965-aef3-49f6-89ad-10cc4697eb5b",
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/",
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
},
{
"FileName": "CobaltDNSBeacon.yaml",
"DetectionId": "dde206fc-3f0b-4175-bb5d-42d2aae9d4c9",