Reverting Hunting queries and Analytic Rules for cloud service
This commit is contained in:
Родитель
809392cf9b
Коммит
3a86198e2a
|
@ -1174,26 +1174,6 @@
|
|||
"templateName": "UserAgentSearch_log4j.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "e2ed38ed-c1df-4258-8da0-f5e94153359b",
|
||||
"templateName": "Malicious_Inbox_Rule.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "18583af2-43ca-46af-9bcf-3a725d5bbc35",
|
||||
"templateName": "Office_MailForwarding.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "2ac22977-a8d6-41e3-94a4-0d17f55aec35",
|
||||
"templateName": "office_policytampering.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
|
||||
"templateName": "Anomalous_Listing_Of_Storage_Keys.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
|
||||
"templateName": "AzureKeyVaultAccessManipulation.yaml",
|
||||
|
@ -1204,21 +1184,6 @@
|
|||
"templateName": "AzureResourceAssignedPublicIP.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "d5a24602-f84e-43a4-bcf0-4a7a02f02930",
|
||||
"templateName": "Creating_Anomalous_Number_Of_Resources.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "ccbf00fb-216c-4886-9038-27d163081ab1",
|
||||
"templateName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "0b9c7ecb-9191-423a-8a9a-94ad492f595f",
|
||||
"templateName": "OfficeMailForwarding_hunting.yaml",
|
||||
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
|
||||
},
|
||||
{
|
||||
"id": "216630a8-b01a-4028-a987-659eabc6c3bc",
|
||||
"templateName": "AdFind_Usage.yaml",
|
||||
|
|
|
@ -208,15 +208,8 @@
|
|||
"85695071-6425-4ebf-a2f9-e7a827569848",
|
||||
"9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3",
|
||||
"939d1daa-9ee5-43ae-ae96-12c30c41e528",
|
||||
"e2ed38ed-c1df-4258-8da0-f5e94153359b",
|
||||
"18583af2-43ca-46af-9bcf-3a725d5bbc35",
|
||||
"2ac22977-a8d6-41e3-94a4-0d17f55aec35",
|
||||
"f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
|
||||
"b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
|
||||
"fedcfc8f-8bc5-463e-ad35-ae68790f7d65",
|
||||
"d5a24602-f84e-43a4-bcf0-4a7a02f02930",
|
||||
"ccbf00fb-216c-4886-9038-27d163081ab1",
|
||||
"0b9c7ecb-9191-423a-8a9a-94ad492f595f",
|
||||
"216630a8-b01a-4028-a987-659eabc6c3bc",
|
||||
"e7494988-910e-49a2-83fb-0d3ff0a3bb3e",
|
||||
"81becf02-9f95-456c-8dba-661f5383dcf2",
|
||||
|
|
|
@ -235,15 +235,8 @@
|
|||
"85695071-6425-4ebf-a2f9-e7a827569848",
|
||||
"9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3",
|
||||
"939d1daa-9ee5-43ae-ae96-12c30c41e528",
|
||||
"e2ed38ed-c1df-4258-8da0-f5e94153359b",
|
||||
"18583af2-43ca-46af-9bcf-3a725d5bbc35",
|
||||
"2ac22977-a8d6-41e3-94a4-0d17f55aec35",
|
||||
"f43cd5a6-69fe-4a2b-917e-b514e1b24ab1",
|
||||
"b226c3e4-b909-45ef-9c03-5ae9db8dc2de",
|
||||
"fedcfc8f-8bc5-463e-ad35-ae68790f7d65",
|
||||
"d5a24602-f84e-43a4-bcf0-4a7a02f02930",
|
||||
"ccbf00fb-216c-4886-9038-27d163081ab1",
|
||||
"0b9c7ecb-9191-423a-8a9a-94ad492f595f",
|
||||
"216630a8-b01a-4028-a987-659eabc6c3bc",
|
||||
"e7494988-910e-49a2-83fb-0d3ff0a3bb3e",
|
||||
"81becf02-9f95-456c-8dba-661f5383dcf2",
|
||||
|
|
|
@ -1,4 +1,54 @@
|
|||
id: e2ed38ed-c1df-4258-8da0-f5e94153359b
|
||||
name: Malicious Inbox Rule
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a
|
||||
name: Malicious Inbox Rule
|
||||
description: |
|
||||
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
|
||||
This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
|
||||
Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
|
||||
OfficeActivity
|
||||
| where Operation =~ "New-InboxRule"
|
||||
| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage"
|
||||
| extend Events=todynamic(Parameters)
|
||||
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
|
||||
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
|
||||
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
|
||||
| where SubjectContainsWords has_any (Keywords)
|
||||
or BodyContainsWords has_any (Keywords)
|
||||
or SubjectOrBodyContainsWords has_any (Keywords)
|
||||
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
|
||||
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
|
||||
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
|
||||
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
|
||||
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,4 +1,54 @@
|
|||
id: 18583af2-43ca-46af-9bcf-3a725d5bbc35
|
||||
name: Multiple users email forwarded to same destination
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: 871ba14c-88ef-48aa-ad38-810f26760ca3
|
||||
name: Multiple users email forwarded to same destination
|
||||
description: |
|
||||
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.
|
||||
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 7d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
let queryfrequency = 1d;
|
||||
let queryperiod = 7d;
|
||||
OfficeActivity
|
||||
| where TimeGenerated > ago(queryperiod)
|
||||
| where OfficeWorkload =~ "Exchange"
|
||||
//| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
|
||||
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
|
||||
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
|
||||
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
|
||||
| extend DestinationMailAddress = tolower(case(
|
||||
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
|
||||
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
|
||||
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
|
||||
""))
|
||||
| where isnotempty(DestinationMailAddress)
|
||||
| mv-expand split(DestinationMailAddress, ";")
|
||||
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
|
||||
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
|
||||
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
|
||||
| mv-expand UserId to typeof(string)
|
||||
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
@ -1,4 +1,57 @@
|
|||
id: 2ac22977-a8d6-41e3-94a4-0d17f55aec35
|
||||
name: Office policy tampering
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
|
||||
name: Office policy tampering
|
||||
description: |
|
||||
'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
|
||||
An adversary may use this technique to evade detection or avoid other policy based defenses.
|
||||
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1562
|
||||
query: |
|
||||
let opList = OfficeActivity
|
||||
| summarize by Operation
|
||||
//| where Operation startswith "Remove-" or Operation startswith "Disable-"
|
||||
| where Operation has_any ("Remove", "Disable")
|
||||
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
|
||||
| summarize make_set(Operation);
|
||||
OfficeActivity
|
||||
// Only admin or global-admin can disable/remove policy
|
||||
| where RecordType =~ "ExchangeAdmin"
|
||||
| where UserType in~ ("Admin","DcAdmin")
|
||||
// Pass in interesting Operation list
|
||||
| where Operation in~ (opList)
|
||||
| extend ClientIPOnly = case(
|
||||
ClientIP has ".", tostring(split(ClientIP,":")[0]),
|
||||
ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
|
||||
ClientIP
|
||||
)
|
||||
| extend Port = case(
|
||||
ClientIP has ".", (split(ClientIP,":")[1]),
|
||||
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
|
||||
ClientIP
|
||||
)
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
|
@ -1,4 +1,44 @@
|
|||
id: f43cd5a6-69fe-4a2b-917e-b514e1b24ab1
|
||||
name: Azure storage key enumeration
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
|
||||
name: Azure storage key enumeration
|
||||
description: |
|
||||
'Listing of storage keys is an interesting operation in Azure which might expose additional
|
||||
secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
|
||||
type, it would be interesting to see if the account performing this activity or the source IP address from
|
||||
which it is being done is anomalous.
|
||||
The query below generates known clusters of ip address per caller, notice that users which only had single
|
||||
operations do not appear in this list as we cannot learn from it their normal activity (only based on a single
|
||||
event). The activities for listing storage account keys is correlated with this learned
|
||||
clusters of expected activities and activity which is not expected is returned.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
- AzureActivity
|
||||
tactics:
|
||||
- Discovery
|
||||
relevantTechniques:
|
||||
- T1087
|
||||
query: |
|
||||
|
||||
AzureActivity
|
||||
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| join kind= inner (
|
||||
AzureActivity
|
||||
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| project ExpectedIpAddress=CallerIpAddress, Caller
|
||||
| evaluate autocluster()
|
||||
) on Caller
|
||||
| where CallerIpAddress != ExpectedIpAddress
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
|
||||
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,4 +1,27 @@
|
|||
id: d5a24602-f84e-43a4-bcf0-4a7a02f02930
|
||||
name: Creation of an anomalous number of resources
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b
|
||||
name: Creation of an anomalous number of resources
|
||||
description: |
|
||||
'Looks for anomalous number of resources creation or deployment activities in azure activity log.
|
||||
It is best to run this query on a look back period which is at least 7 days.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
- AzureActivity
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1496
|
||||
query: |
|
||||
|
||||
AzureActivity
|
||||
| where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write")
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
|
||||
| extend AccountCustomEntity = Caller
|
||||
| extend timestamp = todatetime(EventSubmissionTimestamp[7])
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
|
@ -1,4 +1,41 @@
|
|||
id: ccbf00fb-216c-4886-9038-27d163081ab1
|
||||
name: Mail redirect via ExO transport rule
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: 9891684a-1e3a-4546-9403-3439513cbc70
|
||||
name: Mail redirect via ExO transport rule
|
||||
description: |
|
||||
'Identifies when Exchange Online transport rule configured to forward emails.
|
||||
This could be an adversary mailbox configured to collect mail from multiple user accounts.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity (Exchange)
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
|
||||
OfficeActivity
|
||||
| where OfficeWorkload == "Exchange"
|
||||
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
|
||||
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
|
||||
| extend RuleName = case(
|
||||
Operation =~ "Set-TransportRule", OfficeObjectId,
|
||||
Operation =~ "New-TransportRule", ParsedParameters.Name,
|
||||
"Unknown")
|
||||
| mv-expand ExpandedParameters = todynamic(Parameters)
|
||||
| where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
|
||||
| extend RedirectTo = ExpandedParameters.Value
|
||||
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
|
||||
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,4 +1,51 @@
|
|||
id: 0b9c7ecb-9191-423a-8a9a-94ad492f595f
|
||||
name: Office Mail Forwarding - Hunting Version
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials'
|
||||
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
|
||||
name: Office Mail Forwarding - Hunting Version
|
||||
description: |
|
||||
'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
|
||||
victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if
|
||||
it is being forwarded to external domains as well.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity (Exchange)
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
|
||||
OfficeActivity
|
||||
| where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress')
|
||||
or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo'))
|
||||
| extend parsed=parse_json(Parameters)
|
||||
| extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value)))
|
||||
| where isnotempty(fwdingDestination_initial)
|
||||
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial )
|
||||
| parse fwdingDestination with * '@' ForwardedtoDomain
|
||||
| parse UserId with *'@' UserDomain
|
||||
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0]))
|
||||
| where ForwardedtoDomain !contains subDomain
|
||||
| extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
|
||||
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
|
||||
| extend Port = case(
|
||||
ClientIP has ".", (split(ClientIP,":")[1]),
|
||||
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
|
||||
ClientIP
|
||||
)
|
||||
| project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
Двоичный файл не отображается.
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n 4. [Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\r\n \r\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n1.[ Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\r\n \r\n2.[ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \r\n \r\n3.[ Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \r\n \r\n4.[ Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \r\n \r\n **Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
|
@ -78,7 +78,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Hunting Query 1 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Hunting Query template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials HQ template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -170,7 +170,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Hunting Query 2 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Hunting Query template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials HQ template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -262,7 +262,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 1 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -405,7 +405,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 2 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -531,7 +531,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 3 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -657,7 +657,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 4 with template",
|
||||
"displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Attacker Tools Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -839,6 +839,31 @@
|
|||
"kind": "AnalyticsRule",
|
||||
"contentId": "[variables('analyticRulecontentId4')]",
|
||||
"version": "[variables('analyticRuleVersion4')]"
|
||||
},
|
||||
{
|
||||
"criteria": [
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-securityevents",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-dns",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.0"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.5"
|
||||
}
|
||||
],
|
||||
"Operator": "OR"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
@ -1,54 +0,0 @@
|
|||
id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a
|
||||
name: Malicious Inbox Rule
|
||||
description: |
|
||||
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
|
||||
This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
|
||||
Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
|
||||
OfficeActivity
|
||||
| where Operation =~ "New-InboxRule"
|
||||
| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage"
|
||||
| extend Events=todynamic(Parameters)
|
||||
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
|
||||
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
|
||||
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
|
||||
| where SubjectContainsWords has_any (Keywords)
|
||||
or BodyContainsWords has_any (Keywords)
|
||||
or SubjectOrBodyContainsWords has_any (Keywords)
|
||||
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
|
||||
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
|
||||
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
|
||||
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
|
||||
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,54 +0,0 @@
|
|||
id: 871ba14c-88ef-48aa-ad38-810f26760ca3
|
||||
name: Multiple users email forwarded to same destination
|
||||
description: |
|
||||
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.
|
||||
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 7d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
let queryfrequency = 1d;
|
||||
let queryperiod = 7d;
|
||||
OfficeActivity
|
||||
| where TimeGenerated > ago(queryperiod)
|
||||
| where OfficeWorkload =~ "Exchange"
|
||||
//| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
|
||||
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
|
||||
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
|
||||
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
|
||||
| extend DestinationMailAddress = tolower(case(
|
||||
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
|
||||
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
|
||||
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
|
||||
""))
|
||||
| where isnotempty(DestinationMailAddress)
|
||||
| mv-expand split(DestinationMailAddress, ";")
|
||||
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
|
||||
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
|
||||
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
|
||||
| mv-expand UserId to typeof(string)
|
||||
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,57 +0,0 @@
|
|||
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
|
||||
name: Office policy tampering
|
||||
description: |
|
||||
'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
|
||||
An adversary may use this technique to evade detection or avoid other policy based defenses.
|
||||
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1562
|
||||
query: |
|
||||
let opList = OfficeActivity
|
||||
| summarize by Operation
|
||||
//| where Operation startswith "Remove-" or Operation startswith "Disable-"
|
||||
| where Operation has_any ("Remove", "Disable")
|
||||
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
|
||||
| summarize make_set(Operation);
|
||||
OfficeActivity
|
||||
// Only admin or global-admin can disable/remove policy
|
||||
| where RecordType =~ "ExchangeAdmin"
|
||||
| where UserType in~ ("Admin","DcAdmin")
|
||||
// Pass in interesting Operation list
|
||||
| where Operation in~ (opList)
|
||||
| extend ClientIPOnly = case(
|
||||
ClientIP has ".", tostring(split(ClientIP,":")[0]),
|
||||
ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
|
||||
ClientIP
|
||||
)
|
||||
| extend Port = case(
|
||||
ClientIP has ".", (split(ClientIP,":")[1]),
|
||||
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
|
||||
ClientIP
|
||||
)
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
|
@ -1,44 +0,0 @@
|
|||
id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
|
||||
name: Azure storage key enumeration
|
||||
description: |
|
||||
'Listing of storage keys is an interesting operation in Azure which might expose additional
|
||||
secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
|
||||
type, it would be interesting to see if the account performing this activity or the source IP address from
|
||||
which it is being done is anomalous.
|
||||
The query below generates known clusters of ip address per caller, notice that users which only had single
|
||||
operations do not appear in this list as we cannot learn from it their normal activity (only based on a single
|
||||
event). The activities for listing storage account keys is correlated with this learned
|
||||
clusters of expected activities and activity which is not expected is returned.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
- AzureActivity
|
||||
tactics:
|
||||
- Discovery
|
||||
relevantTechniques:
|
||||
- T1087
|
||||
query: |
|
||||
|
||||
AzureActivity
|
||||
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| join kind= inner (
|
||||
AzureActivity
|
||||
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| project ExpectedIpAddress=CallerIpAddress, Caller
|
||||
| evaluate autocluster()
|
||||
) on Caller
|
||||
| where CallerIpAddress != ExpectedIpAddress
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
|
||||
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,27 +0,0 @@
|
|||
id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b
|
||||
name: Creation of an anomalous number of resources
|
||||
description: |
|
||||
'Looks for anomalous number of resources creation or deployment activities in azure activity log.
|
||||
It is best to run this query on a look back period which is at least 7 days.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
- AzureActivity
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1496
|
||||
query: |
|
||||
|
||||
AzureActivity
|
||||
| where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write")
|
||||
| where ActivityStatusValue == "Succeeded"
|
||||
| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
|
||||
| extend AccountCustomEntity = Caller
|
||||
| extend timestamp = todatetime(EventSubmissionTimestamp[7])
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
|
@ -1,41 +0,0 @@
|
|||
id: 9891684a-1e3a-4546-9403-3439513cbc70
|
||||
name: Mail redirect via ExO transport rule
|
||||
description: |
|
||||
'Identifies when Exchange Online transport rule configured to forward emails.
|
||||
This could be an adversary mailbox configured to collect mail from multiple user accounts.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity (Exchange)
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
|
||||
OfficeActivity
|
||||
| where OfficeWorkload == "Exchange"
|
||||
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
|
||||
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
|
||||
| extend RuleName = case(
|
||||
Operation =~ "Set-TransportRule", OfficeObjectId,
|
||||
Operation =~ "New-TransportRule", ParsedParameters.Name,
|
||||
"Unknown")
|
||||
| mv-expand ExpandedParameters = todynamic(Parameters)
|
||||
| where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
|
||||
| extend RedirectTo = ExpandedParameters.Value
|
||||
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
|
||||
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,51 +0,0 @@
|
|||
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
|
||||
name: Office Mail Forwarding - Hunting Version
|
||||
description: |
|
||||
'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
|
||||
victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if
|
||||
it is being forwarded to external domains as well.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
- OfficeActivity (Exchange)
|
||||
tactics:
|
||||
- Collection
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1114
|
||||
- T1020
|
||||
query: |
|
||||
|
||||
OfficeActivity
|
||||
| where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress')
|
||||
or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo'))
|
||||
| extend parsed=parse_json(Parameters)
|
||||
| extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value)))
|
||||
| where isnotempty(fwdingDestination_initial)
|
||||
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial )
|
||||
| parse fwdingDestination with * '@' ForwardedtoDomain
|
||||
| parse UserId with *'@' UserDomain
|
||||
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0]))
|
||||
| where ForwardedtoDomain !contains subDomain
|
||||
| extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
|
||||
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
|
||||
| extend Port = case(
|
||||
ClientIP has ".", (split(ClientIP,":")[1]),
|
||||
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
|
||||
ClientIP
|
||||
)
|
||||
| project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
Двоичные данные
Solutions/Network Threat Protection Essentials/Package/2.0.0.zip
Двоичные данные
Solutions/Network Threat Protection Essentials/Package/2.0.0.zip
Двоичный файл не отображается.
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
|
@ -73,7 +73,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Network Threat Protection Essentials Hunting Query 1 with template",
|
||||
"displayName": "Network Threat Protection Essentials Hunting Query template"
|
||||
"displayName": "Network Threat Protection Essentials HQ template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -165,7 +165,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Network Threat Protection Essentials Hunting Query 2 with template",
|
||||
"displayName": "Network Threat Protection Essentials Hunting Query template"
|
||||
"displayName": "Network Threat Protection Essentials HQ template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -257,7 +257,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Network Threat Protection Essentials Hunting Query 3 with template",
|
||||
"displayName": "Network Threat Protection Essentials Hunting Query template"
|
||||
"displayName": "Network Threat Protection Essentials HQ template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -349,7 +349,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Network Threat Protection Essentials Analytics Rule 1 with template",
|
||||
"displayName": "Network Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Network Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -502,7 +502,7 @@
|
|||
},
|
||||
"properties": {
|
||||
"description": "Network Threat Protection Essentials Analytics Rule 2 with template",
|
||||
"displayName": "Network Threat Protection Essentials Analytics Rule template"
|
||||
"displayName": "Network Threat Protection Essentials AR template"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -674,6 +674,56 @@
|
|||
"kind": "AnalyticsRule",
|
||||
"contentId": "[variables('analyticRulecontentId2')]",
|
||||
"version": "[variables('analyticRuleVersion2')]"
|
||||
},
|
||||
{
|
||||
"criteria": [
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-office365",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.0"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-dns",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "sentinel4azurefirewall.sentinel4azurefirewall",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.0"
|
||||
},
|
||||
{
|
||||
"contentId": "zscaler1579058425289.zscaler_internet_access_mss",
|
||||
"kind": "Solution",
|
||||
"version": "2.0.1"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
|
||||
"kind": "Solution",
|
||||
"version": "1.0.5"
|
||||
},
|
||||
{
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate",
|
||||
"kind": "Solution",
|
||||
"version": "1.0.5"
|
||||
},
|
||||
{
|
||||
"contentId": "checkpoint.checkpoint-sentinel-solutions",
|
||||
"kind": "Solution",
|
||||
"version": "1.0.0"
|
||||
}
|
||||
],
|
||||
"Operator": "OR"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
@ -743,24 +743,6 @@
|
|||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Analytic%20Rules"
|
||||
},
|
||||
{
|
||||
"FileName": "Malicious_Inbox_Rule.yaml.yaml",
|
||||
"DetectionId": "7b907bf7-77d4-41d0-a208-5643ff75bf9a",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
|
||||
},
|
||||
{
|
||||
"FileName": "Office_MailForwarding.yaml",
|
||||
"DetectionId": "871ba14c-88ef-48aa-ad38-810f26760ca3",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
|
||||
},
|
||||
{
|
||||
"FileName": "office_policytampering.yaml",
|
||||
"DetectionId": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules"
|
||||
},
|
||||
{
|
||||
"FileName": "AdFind_Usage.yaml",
|
||||
"DetectionId": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd",
|
||||
|
|
|
@ -593,12 +593,6 @@
|
|||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AWSCloudTrail/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "Anomalous_Listing_Of_Storage_Keys.yaml",
|
||||
"DetectionId": "5d2399f9-ea5c-4e67-9435-1fba745f3a39",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "AzureKeyVaultAccessManipulation.yaml",
|
||||
"DetectionId": "8eff7055-9138-4edc-b8f0-48ea27e23c3c",
|
||||
|
@ -611,24 +605,6 @@
|
|||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "Creating_Anomalous_Number_Of_Resources.yaml",
|
||||
"DetectionId": "a09e6368-065b-4f1e-a4ce-b1b3a64b493b",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml",
|
||||
"DetectionId": "9891684a-1e3a-4546-9403-3439513cbc70",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "OfficeMailForwarding_hunting.yaml",
|
||||
"DetectionId": "d49fc965-aef3-49f6-89ad-10cc4697eb5b",
|
||||
"OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/",
|
||||
"NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/"
|
||||
},
|
||||
{
|
||||
"FileName": "CobaltDNSBeacon.yaml",
|
||||
"DetectionId": "dde206fc-3f0b-4175-bb5d-42d2aae9d4c9",
|
||||
|
|
Загрузка…
Ссылка в новой задаче