From 3a86198e2a69b4c034b4933d24443135c3bd3551 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Tue, 13 Dec 2022 18:27:21 +0530 Subject: [PATCH] Reverting Hunting queries and Analytic Rules for cloud service --- .../SkipValidationsTemplates.json | 35 ---------- .../SkipStrcutreValidationsTemplates.json | 7 -- .../SkipIdValidationsTemplates.json | 7 -- .../OfficeActivity/Malicious_Inbox_Rule.yaml | 58 +++++++++++++++-- .../OfficeActivity/Office_MailForwarding.yaml | 58 +++++++++++++++-- .../office_policytampering.yaml | 61 ++++++++++++++++-- .../Anomalous_Listing_Of_Storage_Keys.yaml | 48 ++++++++++++-- ...reating_Anomalous_Number_Of_Resources.yaml | 31 +++++++-- ...direct_via_ExO_transport_rule_hunting.yaml | 45 +++++++++++-- .../OfficeMailForwarding_hunting.yaml | 55 ++++++++++++++-- .../Package/2.0.0.zip | Bin 11199 -> 11302 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 37 +++++++++-- .../Analytic Rules/Malicious_Inbox_Rule.yaml | 54 ---------------- .../Analytic Rules/Office_MailForwarding.yaml | 54 ---------------- .../office_policytampering.yaml | 57 ---------------- .../Anomalous_Listing_Of_Storage_Keys.yaml | 44 ------------- ...reating_Anomalous_Number_Of_Resources.yaml | 27 -------- ...direct_via_ExO_transport_rule_hunting.yaml | 41 ------------ .../OfficeMailForwarding_hunting.yaml | 51 --------------- .../Package/2.0.0.zip | Bin 11071 -> 11295 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 60 +++++++++++++++-- .../MigratedContent/DetectionsMigrated.json | 18 ------ .../HuntingQueriesMigrated.json | 24 ------- 25 files changed, 416 insertions(+), 460 deletions(-) delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Malicious_Inbox_Rule.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Office_MailForwarding.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/office_policytampering.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Anomalous_Listing_Of_Storage_Keys.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Creating_Anomalous_Number_Of_Resources.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml delete mode 100644 Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/OfficeMailForwarding_hunting.yaml diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index c2475f0a2c..8a0cf3852d 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -1174,26 +1174,6 @@ "templateName": "UserAgentSearch_log4j.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" }, - { - "id": "e2ed38ed-c1df-4258-8da0-f5e94153359b", - "templateName": "Malicious_Inbox_Rule.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, - { - "id": "18583af2-43ca-46af-9bcf-3a725d5bbc35", - "templateName": "Office_MailForwarding.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, - { - "id": "2ac22977-a8d6-41e3-94a4-0d17f55aec35", - "templateName": "office_policytampering.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, - { - "id": "f43cd5a6-69fe-4a2b-917e-b514e1b24ab1", - "templateName": "Anomalous_Listing_Of_Storage_Keys.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, { "id": "b226c3e4-b909-45ef-9c03-5ae9db8dc2de", "templateName": "AzureKeyVaultAccessManipulation.yaml", @@ -1204,21 +1184,6 @@ "templateName": "AzureResourceAssignedPublicIP.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" }, - { - "id": "d5a24602-f84e-43a4-bcf0-4a7a02f02930", - "templateName": "Creating_Anomalous_Number_Of_Resources.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, - { - "id": "ccbf00fb-216c-4886-9038-27d163081ab1", - "templateName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, - { - "id": "0b9c7ecb-9191-423a-8a9a-94ad492f595f", - "templateName": "OfficeMailForwarding_hunting.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, { "id": "216630a8-b01a-4028-a987-659eabc6c3bc", "templateName": "AdFind_Usage.yaml", diff --git a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json index 44f4f4b486..351b786555 100644 --- a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json +++ b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json @@ -208,15 +208,8 @@ "85695071-6425-4ebf-a2f9-e7a827569848", "9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3", "939d1daa-9ee5-43ae-ae96-12c30c41e528", - "e2ed38ed-c1df-4258-8da0-f5e94153359b", - "18583af2-43ca-46af-9bcf-3a725d5bbc35", - "2ac22977-a8d6-41e3-94a4-0d17f55aec35", - "f43cd5a6-69fe-4a2b-917e-b514e1b24ab1", "b226c3e4-b909-45ef-9c03-5ae9db8dc2de", "fedcfc8f-8bc5-463e-ad35-ae68790f7d65", - "d5a24602-f84e-43a4-bcf0-4a7a02f02930", - "ccbf00fb-216c-4886-9038-27d163081ab1", - "0b9c7ecb-9191-423a-8a9a-94ad492f595f", "216630a8-b01a-4028-a987-659eabc6c3bc", "e7494988-910e-49a2-83fb-0d3ff0a3bb3e", "81becf02-9f95-456c-8dba-661f5383dcf2", diff --git a/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json b/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json index e94423f6b1..3942799139 100644 --- a/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json +++ b/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json @@ -235,15 +235,8 @@ "85695071-6425-4ebf-a2f9-e7a827569848", "9bbf2a02-a20d-4eaa-ab74-3b60cfe6f3d3", "939d1daa-9ee5-43ae-ae96-12c30c41e528", - "e2ed38ed-c1df-4258-8da0-f5e94153359b", - "18583af2-43ca-46af-9bcf-3a725d5bbc35", - "2ac22977-a8d6-41e3-94a4-0d17f55aec35", - "f43cd5a6-69fe-4a2b-917e-b514e1b24ab1", "b226c3e4-b909-45ef-9c03-5ae9db8dc2de", "fedcfc8f-8bc5-463e-ad35-ae68790f7d65", - "d5a24602-f84e-43a4-bcf0-4a7a02f02930", - "ccbf00fb-216c-4886-9038-27d163081ab1", - "0b9c7ecb-9191-423a-8a9a-94ad492f595f", "216630a8-b01a-4028-a987-659eabc6c3bc", "e7494988-910e-49a2-83fb-0d3ff0a3bb3e", "81becf02-9f95-456c-8dba-661f5383dcf2", diff --git a/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml b/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml index 13500cfa6c..ad6d27ae0e 100644 --- a/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml +++ b/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml @@ -1,4 +1,54 @@ - id: e2ed38ed-c1df-4258-8da0-f5e94153359b - name: Malicious Inbox Rule - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a +name: Malicious Inbox Rule +description: | + 'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. + This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. + Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence + - DefenseEvasion +relevantTechniques: + - T1098 + - T1078 +query: | + + let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]); + OfficeActivity + | where Operation =~ "New-InboxRule" + | where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage" + | extend Events=todynamic(Parameters) + | parse Events with * "SubjectContainsWords" SubjectContainsWords '}'* + | parse Events with * "BodyContainsWords" BodyContainsWords '}'* + | parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'* + | where SubjectContainsWords has_any (Keywords) + or BodyContainsWords has_any (Keywords) + or SubjectOrBodyContainsWords has_any (Keywords) + | extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP ) + | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) + | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) + | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail + | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Detections/OfficeActivity/Office_MailForwarding.yaml b/Detections/OfficeActivity/Office_MailForwarding.yaml index 437c0163b1..d98163c48b 100644 --- a/Detections/OfficeActivity/Office_MailForwarding.yaml +++ b/Detections/OfficeActivity/Office_MailForwarding.yaml @@ -1,4 +1,54 @@ - id: 18583af2-43ca-46af-9bcf-3a725d5bbc35 - name: Multiple users email forwarded to same destination - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: 871ba14c-88ef-48aa-ad38-810f26760ca3 +name: Multiple users email forwarded to same destination +description: | + 'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. + This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity +queryFrequency: 1d +queryPeriod: 7d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Collection + - Exfiltration +relevantTechniques: + - T1114 + - T1020 +query: | + let queryfrequency = 1d; + let queryperiod = 7d; + OfficeActivity + | where TimeGenerated > ago(queryperiod) + | where OfficeWorkload =~ "Exchange" + //| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") + | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress") + | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) + | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source') + | extend DestinationMailAddress = tolower(case( + isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""), + isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""), + isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")), + "")) + | where isnotempty(DestinationMailAddress) + | mv-expand split(DestinationMailAddress, ";") + | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] + | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]) + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP + | where DistinctUserCount > 1 and EndTime > ago(queryfrequency) + | mv-expand UserId to typeof(string) + | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.1 +kind: Scheduled diff --git a/Detections/OfficeActivity/office_policytampering.yaml b/Detections/OfficeActivity/office_policytampering.yaml index a21ef90a5c..e75ce97823 100644 --- a/Detections/OfficeActivity/office_policytampering.yaml +++ b/Detections/OfficeActivity/office_policytampering.yaml @@ -1,4 +1,57 @@ - id: 2ac22977-a8d6-41e3-94a4-0d17f55aec35 - name: Office policy tampering - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 +name: Office policy tampering +description: | + 'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. + An adversary may use this technique to evade detection or avoid other policy based defenses. + References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence + - DefenseEvasion +relevantTechniques: + - T1098 + - T1562 +query: | + let opList = OfficeActivity + | summarize by Operation + //| where Operation startswith "Remove-" or Operation startswith "Disable-" + | where Operation has_any ("Remove", "Disable") + | where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit" + | summarize make_set(Operation); + OfficeActivity + // Only admin or global-admin can disable/remove policy + | where RecordType =~ "ExchangeAdmin" + | where UserType in~ ("Admin","DcAdmin") + // Pass in interesting Operation list + | where Operation in~ (opList) + | extend ClientIPOnly = case( + ClientIP has ".", tostring(split(ClientIP,":")[0]), + ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), + ClientIP + ) + | extend Port = case( + ClientIP has ".", (split(ClientIP,":")[1]), + ClientIP has "[", tostring(split(ClientIP,"]:")[1]), + ClientIP + ) + | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters + | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml index 2d74d9aade..1b632c7d8e 100644 --- a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml +++ b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml @@ -1,4 +1,44 @@ - id: f43cd5a6-69fe-4a2b-917e-b514e1b24ab1 - name: Azure storage key enumeration - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39 +name: Azure storage key enumeration +description: | + 'Listing of storage keys is an interesting operation in Azure which might expose additional + secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this + type, it would be interesting to see if the account performing this activity or the source IP address from + which it is being done is anomalous. + The query below generates known clusters of ip address per caller, notice that users which only had single + operations do not appear in this list as we cannot learn from it their normal activity (only based on a single + event). The activities for listing storage account keys is correlated with this learned + clusters of expected activities and activity which is not expected is returned.' +requiredDataConnectors: + - connectorId: AzureActivity + dataTypes: + - AzureActivity +tactics: + - Discovery +relevantTechniques: + - T1087 +query: | + + AzureActivity + | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" + | where ActivityStatusValue == "Succeeded" + | join kind= inner ( + AzureActivity + | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" + | where ActivityStatusValue == "Succeeded" + | project ExpectedIpAddress=CallerIpAddress, Caller + | evaluate autocluster() + ) on Caller + | where CallerIpAddress != ExpectedIpAddress + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress + | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress + +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity \ No newline at end of file diff --git a/Hunting Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml b/Hunting Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml index 693280464b..b280f8907c 100644 --- a/Hunting Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml +++ b/Hunting Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml @@ -1,4 +1,27 @@ - id: d5a24602-f84e-43a4-bcf0-4a7a02f02930 - name: Creation of an anomalous number of resources - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b +name: Creation of an anomalous number of resources +description: | + 'Looks for anomalous number of resources creation or deployment activities in azure activity log. + It is best to run this query on a look back period which is at least 7 days.' +requiredDataConnectors: + - connectorId: AzureActivity + dataTypes: + - AzureActivity +tactics: + - Impact +relevantTechniques: + - T1496 +query: | + + AzureActivity + | where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write") + | where ActivityStatusValue == "Succeeded" + | make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller + | extend AccountCustomEntity = Caller + | extend timestamp = todatetime(EventSubmissionTimestamp[7]) + +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Hunting Queries/OfficeActivity/Mail_redirect_via_ExO_transport_rule_hunting.yaml b/Hunting Queries/OfficeActivity/Mail_redirect_via_ExO_transport_rule_hunting.yaml index e43726fc58..56b6fa6798 100644 --- a/Hunting Queries/OfficeActivity/Mail_redirect_via_ExO_transport_rule_hunting.yaml +++ b/Hunting Queries/OfficeActivity/Mail_redirect_via_ExO_transport_rule_hunting.yaml @@ -1,4 +1,41 @@ - id: ccbf00fb-216c-4886-9038-27d163081ab1 - name: Mail redirect via ExO transport rule - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: 9891684a-1e3a-4546-9403-3439513cbc70 +name: Mail redirect via ExO transport rule +description: | + 'Identifies when Exchange Online transport rule configured to forward emails. + This could be an adversary mailbox configured to collect mail from multiple user accounts.' +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity (Exchange) +tactics: + - Collection + - Exfiltration +relevantTechniques: + - T1114 + - T1020 +query: | + + OfficeActivity + | where OfficeWorkload == "Exchange" + | where Operation in~ ("New-TransportRule", "Set-TransportRule") + | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) + | extend RuleName = case( + Operation =~ "Set-TransportRule", OfficeObjectId, + Operation =~ "New-TransportRule", ParsedParameters.Name, + "Unknown") + | mv-expand ExpandedParameters = todynamic(Parameters) + | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) + | extend RedirectTo = ExpandedParameters.Value + | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] + | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters + | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress + +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity \ No newline at end of file diff --git a/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml b/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml index 4f87a2cf9a..a5a4b2c1ed 100644 --- a/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml +++ b/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml @@ -1,4 +1,51 @@ - id: 0b9c7ecb-9191-423a-8a9a-94ad492f595f - name: Office Mail Forwarding - Hunting Version - description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials' \ No newline at end of file +id: d49fc965-aef3-49f6-89ad-10cc4697eb5b +name: Office Mail Forwarding - Hunting Version +description: | + 'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on + victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if + it is being forwarded to external domains as well.' +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity (Exchange) +tactics: + - Collection + - Exfiltration +relevantTechniques: + - T1114 + - T1020 +query: | + + OfficeActivity + | where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress') + or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo')) + | extend parsed=parse_json(Parameters) + | extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value))) + | where isnotempty(fwdingDestination_initial) + | extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial ) + | parse fwdingDestination with * '@' ForwardedtoDomain + | parse UserId with *'@' UserDomain + | extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0])) + | where ForwardedtoDomain !contains subDomain + | extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain") + | extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP ) + | extend Port = case( + ClientIP has ".", (split(ClientIP,":")[1]), + ClientIP has "[", tostring(split(ClientIP,"]:")[1]), + ClientIP + ) + | project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination + | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity \ No newline at end of file diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/2.0.0.zip b/Solutions/Attacker Tools Threat Protection Essentials/Package/2.0.0.zip index 5c95b088778f9a33b24eab4772918ac5e0fabff7..3af89f595c78d9f349e148df82ee59c393f0d24f 100644 GIT binary patch delta 10705 zcmZviQ*$m1l&oXhwr$(CZQFih+qP}n=8kRK**nSk=JHIusk%!TY_41uZ z%r(Of*)ILoi%VR`cOn=t{SpUfa%Hj_UPsPvz(Qg&-KN5pp8xGpG)dGHu_ae-hGqEA z%liQH+E)a01<7GuMJ;<92dm;=e?b&7zEjks$UhMOOzXvws!KCjzw-`^8@Fd#JCjY; z_5tg`x{rTnK$+94T2;!1lnHb{8K8fdX#5wicnnnYC7KpTucg9uu-V&(25=)V}RkLpA7;|c!m!$CnVfzvXD7h*xXIvB!)wE zEZPtLDQ3xKE*-YC$na(_1V^>5_@&|&4FQ&t!=*Uy$bKyE!9rNjoe8Id6TjDOien3U zsLnxL*|}|-vSM%0-~#+|^^cF$Ca3;r6aWNd7nW~tIj5s5wzqFgxX^VPLl-us8dql2 z=2R%+roy-#Gf19fck(ZDf)kXT6(CvSw@^K`C|XZD>)eKGO+0Aed8wg#=wiS*g8|me z7+Z=lU~m&Kz2-J_38r*#4D&DA(-)AVCfnPfw%%S*K?Vkep0wCqQ{}b z;sz*2)G$_^FdNby|4-%&Eh+#`8nc5Ift ziK9Y#9%F54+?8I*&fL=SKucirngF^pYU-4?!7!0d2GuMnUx`y5G<}X~b35M+$lew| zv>Bw>5A+OX!m;3?%FR?mXb5zjGIOZY#oI`<^PvQp(nvX+Vkk;AvI!*ye3l%M^>KU% z9Xz;*kZ;W!m2qa+3MJV=tul*?53IGau?RgJ>oDRRtyzRijK_kO6)AEpUBIQ6FB2?-St!g-|%s5xFG>bc?F|?j_ zERFh>-B6zq%q?6~J9w%^&e}GY0;5I?ZZ#Q0yw(EP_mV!bN^LQZ%q%VJ4Q5!TnL*nz zf1IY*?OBs=9(<;?J2`0}9S{yATs9LiMD5GCA~kn_S*A^3AbgcwLQX;C?5!7*h$wmq%wwtZ1sE_&=dDO!=3m!@JU<^`)wZ|Y(g=ViAUwfclI z4QWbcOZvw?*D!>b`LazO=$vjw|C3^}@$jP0Lo{By>g`wlw0xB8dIV9|C|8cipk|`Y!?pC|_cFvUV@S)h zERIT~Z9#zG0brZC5N@j0bauhq38uP5r-K5U3So!{N;$zEKRU@QX8B#A-`E#{o}~f} zqL3a$RyJ`yIg!bV`SCbAD|VPBDcrQ~Dw*`4E<*F}=FNN8R9ztg<$2^K$)OuRuQf!B zl$(PbZdV;c{V*kX>~arDN$l2TbNW?*eh;&5(%QsW0(y9Rc>D4w`|=`mk-T$!Q}8nTuhJC9IMg zkzJ{}bo5)GToqH8q*zh9-1?3qFYt-!j~SQ_wYPE2wtFOfYc7Fw^9F%i7-%neZZ;Rx zwHMp30PN=ZCJ3DS#9HSQYg>kpVD^K@qqiX{OOYPN;<^R%z4Hq?iVHfr`VwXi>KXQV zZQYjilv7`uIrMh^{bm&iv81~7 zpb?Z#=0&YR2vaPlx?qp%>D}&GQyERUs8%WlTV8I=S0@uf4v;U zfc0t{j#~K%(>bx-c+3X}Z(GTT;7WB{9pIU)vTBd2{5Ed&bH2OJAK``WJFw_2JagZt znZL$~p_nW_9yf&n4Lp}&_gjB>)n<-%*dY5wz7YrXo+{@T{veaILGd7XVMaO^P@}xs*tcSw{N<<3!5v`w) z#;ug#D4&wI6Na?EG-3;ySw`amWor+npwN?Gosb~|K>poY=i{W!8YS?nujbVoE5u$n zVmUQjNBc5`-aJ)!`S=#7*#XKs6>HQ?F6a>z8pL>WvdxZ%8CGGTK1snFhLB>fUtI@T+=Y? z%85QmKYtcIzsm7@hSiFG^v@wrl66c4+1qId<(9y%n5TYoIo0L?1A5iT2^e5O-I0r( zHsn|>18Jw|@Eu$O;C@GXtBrL{HreQJ0KILr=?|h!ayH0$POU5sBf{O#Ro8)#tXs6a z_(J&2K7BBU;uV3#1Yc1F;KI}_zDOudHq|3o+|t3{YW`yqV;fb zl@h8YitP`L5lLUNPT3tV?yTUn?~aiyjp(ux_2Tf$N4@3QFkIy9b)eYAiJrr76z zp9z6;a+-mDB64glS+AAyhoe#~lk~otmQff8Nh0_FvW@4xPsM#Y0C=rh`I8;GLtGF& zohS9>FUjGfcxrac;*@DF*AQRSrYx+6l3Hl)32ufPie?SrP`Xl3+dh68{K5P(Z!7Hu zg356L*dYfUFX!-oz^A@O8R~1&7%5r4&52fFn|-_ zHm<8E>q>!1B$-+Pph&5A6Gp(H6X2noS4*GJ^F7!9o`xppqDQ%CtA?uS>$yo=Bn?_o zo)KCWh$r9F(Uzz$cH<%deOd#-vO8445X!?jI#H!uIGmLLDl7Fjv&hN$8QG;2{P*Ey zd0sKmBlz9e@%}ND(#LL~8qihb6ebd0w#2@-QmFOy$E}DFaMVbxspF?bB>F44Y9_fj z{d6`mc0^sF>APr`7hlHF{%zQAcyM#u;5Bj)jmVuK-!;rHl6qqaJ1?7ne>YUjCwkme zyvn8hS+q-}%}0wohvRTco3%n6aPSKN`v0@{6o|Fe5g`yz;S>-M@_&ik-q_kfEhQZm z8Nkv0`#ZmLAGoxOy@{{vxb5QMYKgxs-P?v=S614CYN;0)O19=#31+2R=PUS^9}>tA zr78l|USHFu97Fiv;Gh@iAA;2P*Z!}#)FtB%9&1LrLDI5TBs4(1rYgBwmY>Ij;aM#0 z2L+CjE8Fb|xZ0GMNh{Iok zx0TAZM?wF6^I#n{BFF&~V6-Kr*l(a3gAI!VR{&L{uoqX>N6<$PZW^&@bmYyrI0jey z)u#egAu9=+sM!VNi4>I0UUT4!|NddAAOaS8DegybR`VP6xzJEK0weL#J{kZO2cUF- zyrJlP@j-!Z!_^H1Gv+qj=*s}IjVqpeh-81C>rKiW-V;~4VIqpdbA;+HvU%q^*hvUM z;fwikXlB`g^ZGyk}jll`(TkK7v{}mjXtBuYA1^$TDk|`dlNRjF)0=kZLgi$&I z{`siqY4S22aG?dk#=ggN%nwhu0*J5>)PVjBLf$?OR)(!YVYWD#@D=PlMYUleHF=hF z5p17hZsKmzGTIl;7#Z|5e|;uJ;iMAx`z`PPhjHnYe`52Lhkmkk^aUpYgMXLWupzY- zreimL#}Bp$92HdjdEh)Oif+cSsE+{jVSY{Ksn6{ z`<_W0W|v1dioIBltj1CMTPu_i=l@M1d*!;bt-#%-x)--w4n{oVQQC+xo|w~VkX=eA zr-~afd3I4i3|r1q%YM|E4$zgI7-W@QYoS}Ky+@QUVXsAu^*A6)+vbR@{ADOG(9 zf>73W?oKd=(g)4TIP`{NjVSk5{s!fAS7sCI*DjT|$nqDD#r%nvHl+w*2RN=J01*us zuy%D)06pcUcO}c#OPQ&5tDwE4YA@Tfa7Cd(y*`~5e6<9^bUVzrjzZ62oIfV$B`ueD z3Vzrm6ttPxDfU6FbTaeB;CzEvNvgo$>xc#3w_geYWpCL_bPOt{i)~%rVcLwi@#u?O zv3WOjhP={Air=kjVTi_#iu=tXN*ZGT_(|`}61KLuJC#FNI$ysrueW5}#j*HIRXfw` zb@;=JjhRs6!`gHuF~$3L-9nt7+uVBXYGr$C-~f zI^8ObNb#X7F*q94?92=QUX~4NX?GH0NEx8eN_evNs|^8M>37R5mk8X}XsKWTK(&Pd zX`jnmSSOdUP7|FqS-n;X)61X`z+4@7znr-9oThg<3;Fw+)-!NWEMBO|Apbcp5Kvq$+DgIbiT1V z+g*FUJO9+>Mwa(KVoJ$(b+MZ1_C%H_aM#U2l?ngzDyq;uOX@GzO_VD?ij}VJg!{}! zrJm_!E&~xROoavOiuVr}AbjvJCmifwFxU!`G~PD!r&2Q0(-N|uvI3uJ_$L$ja#L&) zTj`922`?D?A2t1f zHTC{Cp8C&eO2Pe#r;Km&H@zmwoCdsT7=fCTY1)U{J^0ycEy?mwh2~*^8g&-0Mt;Xd z;47~0TcK>fa-H`RZx%Bki$1%Gb>>Bt^3BWVguQWwcN@gEZp^w8o#KmP_UXeBrI9yh zmof7p!y(QV_U-Nz5bdC^z!+joDUa7Uil6CsJFFivisM|+*wgd3wd;5L_S9vBPzua) zs*8SPhsY&U5hLgM7FLz^)6KztL55!FkA$gnrvX5_M!FK+roU6QR%`z^_+mjfI(}-15L7W5;;Ed7=Do8R&&lsS_deqq zuYMT9Q4mB8%h46H4~nV_tYq(q+@e5gJ6k8Q(KnENVkfpO7fiVH^{0VD%8tDFYRHq!!y%&mI&@2{>CdX%rpE3uadL9 zf!0=h`}W70CJ${}bV&m{HlISb` zw@kspAOgSHnM1Ql;m4o^&@)%11vPoG841TeJ5G)0bZYe(F#UWE)04c>BR8G73Xi(1 z;hL$7*#+oV1Of*90go>OgNVwDqYE2 z_E`-ck^>w4aQzvCHef1RFza$vkNITcT&0s)J)8CndbJWT4GJk>yBl4u_*U0VL9XjN z7Lw^%1d4gXZwGejRp9j|L1}D4V0n#Cfjfx_R0Yz}BiculGDpMx>&-V=9ALc###VI= z-6iti@FOLoiRh*Q$8~Kn=Q*J;-;K8~#tHDHM&(TYPC3@>o^iaeC*VIoX;{o&VP7dN zFiCsavY;CTg%}1&#Bxk@4KlI&RV&VHSaZ3t&*UhmL&581)9zErO!20!MGW%mkXbYL zf13M>7zd(>PKHICpc&-i8Xt0|`c6Mdj0AO`!UYc9&AQqF6RVp&b_or_n+FSB9VFFV zoC7Pf)B>l%0(eDR3_)D--sudy8&mv*nnM_7D^UPM{e-OJQSoxys{7;}Xi+Dz6ctP0 zhCZFS$8X)RVzR_oK2Ncz(sUzxO9Cv^G5Z9HCk(k;m7J}4xQZUB94YG{@v9cgXoa1d z*WVz#)G#W50JPJRFW}G4w&V#4gwqBat}p)epdCIOHb2*nE!&o8_r8D~+~!{6(q4&% z>jv|6UP#EdaEa*VP!anD8&2(r&fnIsMZ!#Yrs7*A-XUG{&jU15i@oWg8Di6$p%g9a zYs&9{3|W@RJc0rNfE&V!oeLRKowFx_?X2XR5>OZ5B3~t?8~-)EPPr1&dy(C1A*0UPnN+-3c4z_GvcDg$VfF6^~4 zL=$B9xXit=&Qt?f4ke!}422&Gg!2vqMfM*-eF9%GqXY>$rO9L;)Nx)mRE(DiHbbOt z==u`C=Z0sZAAbgN6!A3q9KIb#QktF*l?tyBM)CZYSS?{~+*!7=Y};h4r9<0}qQ>7( zT@ARmMgDpkSl{$Emm_%wl1xybBT7W7*|er`30N)aJTX*Fh4U`3tky?Z9$`8!`@`Yc zTdf(KQr6grd4mc%(JxvR&irdoV8@He3|*Y z&vhijoq!UXd0pSyp;8~=1&dbPruI2!fBSe^P+4@!u4cuE-}s4s%ca$wFdgM|TL(12 zwMCap0g0i{9WU(n=_;L+Yh5UtHOe;Idd=x)zJ0cB&Y6!lt+2iBf#cYL~X;JE6;G=zaBYf$G&e7MiCEuyF ziWPpgsbBuzVUJr~nt&<;UroDAyf3^#1Qn($1Uvwl{Z=uP!-hIG@N4J&-U!eBLy13D z#`1Xl1Me%HXdE%_#Y#wlcZb+;`I{TRD7IJ+pY&fphAH=Ct2UeKG?YYCN^&$CJUQAD6yidG-iw{~2(Y!XYoDRHX zrlra!HI2L?<*r^`$j30u-O0P}gSfaVdH0<ge-=;xd8jrw{jYr%X?;;n0BEq%Md%g`JVqQ@ns2gQdA(}vS#Orfqb)VezI0JoZf{_5GC=@2wifx^G)K(~ zNV80qq;<4nY(u(CvRFXE$r8-O<*yPqnYVT!?50f)Z!{UkL^=COo3J*3_~0KOIQrNd z`$?;D4~;_oY3IG&5=Q1Pj?s^&-JiCLU?_&aQ)$HOHgMU_!%bFCd{Cp?SDUDnU4OhMh4mR^?yvc z&J^QkI?mR}7|}Bd2&({gzr)VnsGzNNOrIi&_ytmj>dT^y@D3Pjrih&{N~>w6u_gOG zDPd2NOCNM%zbm7mL75in18aZYY%ju9q<7Ac$VDVy#$%&&?ykJt;Rx_^M)UJzZ*q$6 z9YXJ`lO{f6v1|EJZ7l*lB2?#VmPqM8P`0m54EV>7ocv5BglYik$7V2Z+s;YDmnjpn zccz6uYX}e?p|ks$C}RnXjv+yv=zQJfhoW*#z6q3PFD0CPB{9{6)sikg6%&LF^IyLT zFekLeM>8`&(u(?t*C;lpFT$g0kKLXbOgNP2Ms%*`Q%;>&<}genOkIj?%HXWW35*fV z>|C2vg2=>-j~#%&W;7)6BH;?U*nQNV{tf9OFwNdk>kYVZ;!^!S{PViswHaW~E#l8n z5m|qqt3qR$>1RnVTI%jawv+WM>MdDFq&dju7A08Wnmc5&E2d{RI-tYtgNb!*bBrcy zIuKxTUmHo>C&P7T{~?BD{q8jDE_Q>eg&<=LykHKd!~ZljHGj3tf}Zeu(8u#`XV81Jet{bBD7;6Uo=pbiI@ zXcvht>XT=-BO6=%*+LV2(!k85qG*izNufmBa-~ho$X3cEtg`!6L4m1y*P9yoCb$3& zx@W-gLxcz9=gNdomfLd6O=c*O?+H=ZAX4mKgmhMgG#m}Z&D-2p$Ux1#3}Zhx*0AmB zMPCbj!?Yo8MDkzU863~d`pV@p9b7%?zkticx^6@jY}eB_a=C}S_jlk!LQI|1eSq8> zX@&8>`!-rJ+|Q%Gl;iDtyn2~wL*x%b0Q2R0d;S3ESxb9g`#+UMn#Y%*UY-#F45^`^=v-VIsul^FIZ$ zD&jpRVC5Z%RPk5f6;b&`pQ5_sP#a+}SH%TensP~R(H`=^C759}KaxATmuD(K{H`WfkiY{iygVXXD#}O&8-4NEaLV_Tm~pQQ`4Y4;LE)@xH1HemBRU zideYbouWA4Sd1SS?l9k&x!@~%4Bd=8SLj?L!&_zXP zu`TvgS;bYbz`unaslMCa#~0u=l6Iya=SRjDJi=lvy_a#t&~?HHg6tG1k!KE?e<#}% z*N_4q6>u$ooV(qUA68C3V9A}SF8dOOt=tAGK$P&ZMeeDhdXOL)2PIN+c!mK17njlm zJY!N8xkm{4;n|8zQ#G>ctY{w)10DUQ)?eH<8cZ4$oSCd(xqM%3VO?VxCl~7zjgzk|MxQ3e}1<>}VuN z!={?Xi1LFW%C$*fNc?@V-xnSsA^j@&BQei^{*G^*K+$jO4k}Bgo8y5O3Y;|V z^aywTcJ6%W38~?5HG0q2%sYz|Ph23=&?`1Vr6FdccI8u$8j8v=B54{iy(N)=_lg}y zZ3!L`)E9O;HN+#nTLhpS=>r@AFH$wCzBmbi(HMdV2@Zq+JDL$VyOfjVngXsIXs%1g zn=CU83_f+8*%Ht-hA7L?^Zm2^z{thIV6qcQ^(@mx1pP^t*;=7llB0#xNT#BmMWHO1 z9T_JeTj3fSc%fw8csfNj{B-G;3RLt}d1=MvUU(nk`an5OtP4=S9W%jchEGuRoizp8 zmNeOc&_x=Ese+bJ>kVRTL%jxQ6(ZfRfo;X;9bTbPkMTNc%xdr)jY+Sc>Yd=Hk?3vq5P=14ZfwkLz_V$i#iO}~K8JYo{GImS z@wCBI(7QJ&jRfFiaji{LewYa&WM=#-u;TFe#O($`N)NuA)p`eQE47zwC}H5+5VH|V zg%xStds)tAcN39`7P5j%U)H#)Z?2}(tpTVJ$#HP8_t~( z*a~_(3B4z6zRUO(Z0`nP`;d8*h|d0|9E9I=LqR;T^;1^q0=|@bf${=S^ zCjnq~)r0rAGGuefkfme$52|xZAp>Lf$n{XaDgHfxTAm& zV_+7V`7}u6%JmDFNe6FGmb|kyND3gwQjKxLi*W|a+4WYFuV`NNG23}V*Pra?-;7*F zg%ZvX_&8E0@X5#I2}Y`4|4hB7LND-83_$-y99T8F`!NTwFH2@TG^`_X>>wT?g6+s5 zqveN>1{2=efXE?Df9YS<+Z)9LzLG3SZ5H|D!vV*SrP`J2{GIL(6<1XLLal#yuU&3V{><|J+JK4e z0ihAYR#HNtH*F{A%iowVkfmH-CLM$=R(Fw%d6Hg}kynx+lXFBN9@PVN$ z*35ld7Ci1w^^fzlYF`p=ma0`R=;POP(8$nk&Ysf7+$R-+hi-wtPvw)g0^lGvtaq%p zO4ZK-?IZIFiwK>@buW$%sjpjPtWTZs)%$!bU8E&@=o! zd5}X+XDfxDq|ZFmWp>K^3y@Z>B|0OLD~n%SEmn-ZN;D(Bv-ngoNfaRw;4j{Kx3M0s zYBYDQsIN!w%|6XSsVSO7CF7>mN$7nAeUkQH*XVLJl&opTWks(qrSoi?V}GUN2)wr- zjo$)Fhu5O*xF*QaA*g&$BF`VfkSI$>1wtDiW}#TGIO^kuY^oon4HFn|omNQz1h^Tr! zb9x;q^?dIuCWaGIhlXvP*Fgd^Or&ROVxNY4gInT)Mc*JHo2aiC9OLlS5GsxQQ8>5_ znsu`rKN0@+Gl7Vk0_ah|v;0xt?~){o_dT=M1#Ca{fakXx$Q@YE*r=(&^0iH%bJ0TP zr^i3z1yz)#)PX7*?h*!dA@KP(1yv*cTPf#N3wVK2llT+|(OS zlP6Ef`xLMcdr4yUz;#J_@EKUtGSIrU(d|q`m&~79J8S=UcJ>y!Qhzd8 zy6Xk_a(AWzM!_^E%3hK5rp@!)_}`Zvi=~{gn-`pqX@Uo+)9{5h^kMHh4XSMx&udd| zqdD$U4v)4`1HQSS^d4V#wDvyvM~dwHZF8XniYHhDI!j^alVkEAO$9v^ND+ucoN12(H2>{+uF=ENTQNQCRkJ7PD!WLIe1Y&I=BH u1(jrhLC}Ey4+=9yfR>B!f4I#5y$%024+8-M5&fsWDQUE15V5rX@6aWAK2mrOccvZi<>@GeF001nJ7a@Oh6FCz8epUA$ROYH; zr|fY^V3(zi-7*R6QoLM_c;Q2mO35>_t!$U2&6~BK!I}%fwN-I?wyv$=O-z32wMx}Q;eaCCg(5OZh2n!-me54@^hAN%PSv`OuY2L~YTt^t3^4N%eH8bHxhNel3 z!AO`;%gh#>|0$ChGdg^9R%u7`MKF_go={*s$@OE|eW>$Q{z2?1^#m z;0|z%QY1$DgA|4t5$0OjB`Y)vmRJv=w1~wO#{ihKNR->DDdZwf(0roOc*$@b5t}R- zFC;OLlwENxRSqhiWL(Zt6F@Y9qZNyJN_wO{aF>4&uFq5^(t%OA4n?0$av9qJ_5trK zpTsf*BYwqY%qOv6uxB>sSAs!%R%sbRFLW^?#d+|f5-B2UhA6@b70D^|N{7tmP_uD| zffh&O@#ye5yOeRv!a39uFm|TTQvYLj_ZWty#k*V@X@wzksAtD?f%wnaX`~XYt#n-5 z1ulP8r$JJ=9vQ83?aEZDKL(Z23__0URP+j^qsjvpz=pDJ8c8pe4 znAc~iML$1SQ|h3!cHwsZGO8XUZ)5wAkkuk;SQa~ab;7nOUX)%dQIf?HrMIh|2wML)-Ha|G9ry zE|iX(oBNRFV-|w5NQKqh`3~X$ww(3ZGsHJUJ=mw%pmeZML z?BBVd@J8eNwBYmw1sm_Ce4=v8s+51v$^^KUv04i5u|L`RE@h5dPj{`wRV;{9*z5Eg z8Q$cRW{Phle@tQn7x|BUtZ?Asv`N95(B)sqq3#;Y%L*$EE6z=>*Dd5R!W!j!GsIr^!L^XA z>@pK=6kM5gFw)5=lZQx_TE&0uRdD~Yq*HWUwx0r<5X?b7tBuFwCP8QNnO3mZg$|fg z0+30JKqI2o-blNVEK%?2%*8w1jYT@M^KMIt-CjT^?DhA0=bg5y-vL2iWNa4u|zwLDyrC zey;F;*Qytkd5SsQe2;%noFCh0e?1U%frAsb56VF!x`h?(d_40yKkGa^>+JLyk-1fU zwsY3$pLLuhn`b}mVC(Z0J9VfV*>XKbG&NR-q$W{eXy;}009MUD8$7CDxY>|K8>itt zFA9qGb)j^|RmrG~;+;cRC=(JQYuLz)mMLS~>yCiFn?BU!K8b&MB*xM@1zaN`?2MA+ zT3TJr9&2hCSn=MjrL}9_a183lg#Xu;sLUtlwTwmE5s%WZs`8|$cYS#>Rb=^;&q~pl zMtTMgOW?*pV*wjYVZeobofUF{^&qKa(nU7RhCmIQqdrf5 zc{>i0@Ipq9jvd4wR42Xgotb7AYE_(1?SZdQ|J^Uw{E6>&tSzV%2%tJ~Ml^~D(<87W z2D%;$``y5X)>dBUf%I?FRjmoX(Gwl%?d``cyTOM1wuOIJK6ACoR0{8ja|9>nMLY~u zUN(%xd(_O-3@G#gY&7R)?g)`u1RaMwj7J{sP^Z9mkQ_;#N`M$PjrpuVQXDa|Y~v)< z+wdj@uC7Pnx;Z9PKpV?d52b&fR)hDHQz|zHy_k zwW|H^W>tSK*5l6gvS==P>ynMrQk#iaEf-Vh!&yhwzT_IF$!WE#X~J5cQK3)Ya5Q-c zV>Bp+6M4z)hu|!IEv64y8R90uC06icf{MrmxQGKk0sam&PmM|zu*ZR_>Q2`bCr0!) z40upANX@r3#)EHTj87$nx>DC$H^YO!ni)EJbDCD4e2%} zO}6(oo=Xn{`R+#lgK#Jr*2jiB7St z=-HC}yG79UN!<(VlqdA&e2mO77N}Av{Z@bP*<~@23IBRS9b5py1w~W*u3xWtOdF0} zeS$EXNJFgxCekaZRqDQ%!TjsH#|^f0Ko1}QHBBZ%_xerxFFn+MWx%1-w&)XgL6rZ? zx8w;YS?SdU8NtX|!iyG#|CYoAlk{zb8Y>hKfh_oyQ2Ph(_l9m6V6B>zUxjd63{!t$ zsY6M>FA^SKM5(z5ojk^g6D*UMJ+oj1MMcO-zHvz>akctO*b*wR?wglo1Gu;H?Cc7< zqty5pN%rRDp`W4n<0#26Jkd>?y3V5h`gC?{cid)ucdTpy3Cnjv_QX}n+brf>7j^hDrv z)H0B?k7G%;R+f?LC>@T+fV{N;2CH4l0;p3%oP6r!F`U^5ppmAaInE^%5O3hu29IZGP=QgS`;gv+Aj1(9Jb|3^@kc6`aedhCOd*w zmbV`+>ZhDR<3Y1?I+fbk?tl4yfwOnN;tiuO-sLf0e^`Sb002hD000pH003=aX>L?yZE$R1bY(7T zb8l|!U3+ueIFkSWs_r|WbXz5RO4Qr7oV#4DV>^j=Y)5A)nca$09*Be_j`>gs(6(kg z``ND>0ACWRhZF61J<_DcA_z1Z{Q~f7koxUE|AUayU${ADE-k$xrGK#y6aK1JQzccG zdUV8G=7}o(H4IqQ^j&?A*P8Xlp;2!e^+wHN6UU!oy*_g%4i&8W3-`VMDph0$rtb;3 z_lX7E_C4&UQLW>D`o7BqwWvT2e!~JNqM;c30am@R&A{jWP!NOga5C`&@mDu0LxvO) z*^P@VaBS7{olrn$M1N?8$j}eSkr33pWdZ5?zQaj>9554ahTTm-f^ia5g|+TJT5eU48jI(&0SG)#N)X$hF1w8H^M< z+$mqNk+d71D1WOaJTj$7H=Gz?iVUp+?Fz>iF$=|xGNp1Qv6`K7bicg2`(^pqGecf5 zvSMpnX~;iC{Sglsl@4<5kI0cnovE-*4!UFkBZ&j{&^J8hpn5qI;bd+oDW|!kflUVv zOZ!YD$}=H&n#KbvRJdeKQxWjus$%_je|X7Fxaz< zcGGH7$_}lzd6@82Oef7`eyt*|BLb08pIJNQSku)H6BbB=rOuhh?a^598mHjSJw^kF z|GZowsU@xpIF#0&*LgHc^d`)_1lwz*JuvMzu}hS9D`jK+)hJg&&;A;dqz>T$kF$mk z6ajyp-bqY79-{gZjr0lDRl8FL^;9#{p0v8PRm!z;rJ#DW7EF8d%QZ@iO_*o#4_*=; zWO+fPEKp!JIxZ1@3Lp8hzIPn^1L}yA%ibGCLGL%I0YcjuTg|uw(N;#9>7AME12+F& z#A&vBvU%_{?np=Rl-U;r(8NZ+%+SaJnZJK$Z)O0SnR_|&MD+PBdztImOLvJ`J|&eo z7q1)jPR7OKs@_c4x{+b)Mun}LBy8OzVJotX8!54yJgQIi>6k!~(Z&^6pN^3F5A%)Z zW3n=B(u2AFmJu*0F|#jhY2#E7WT}^Yhr&* zLBO`T^ZB|&DXnsdS*&_ps*vl_#OI>gxGsI!{qJjU2Ua8CKsFzSzy3OXErO6i;fcpj z??CFDTziiiQbfvROgSu5rer7TY8NZ82e5LBocQQ<&^g|zke-S*6DT-#Y+THAE98o~ zpxLu76be6L@~nGgSzxYQ({u0G!-RhV#i(|wlMDg9h>FT~cPqgBrwfRfp0b{VeVcne z#tkvm)nSas)B|0Z)KNo`g9W4Ej1*K+;pYcZ2C*U(om2G(Fy5Q=+GO#5Yh`#NzkHUnCuI=sM)jQ^)yE1FHLQXv^Re?UtR3LwYsqQ?{ zQPO#Z9Q*Dh1g}Z)Du4i(kc+xZGf*M#K?lbn7ruK6<|?MBY~8*>&bl+V5`E^H^IaS} znt8YNy!(0nR!&4ypE%5<=bRkcvhH03*Js_<=7f?Vb^VZ&F7rqq^Dl^O6ETJr7Tm^^ z4N4UzUYVVNVGs(&!W;+xMreOHd~=Xs-zPAwK%{YPFg5BC=H1zW@5yNgjIcjuvwe8Rs0MPB_-5PwJ@s=Jf~ zu-(Aa4+>}iH_?P&k!WHZfyIXdIS*bkzu9`I*JQKW!0`t)m=<}ra`7XRM3 z)VZ-deq&00xMZg~b)8b4?0?VI$TF3JP+_x_8yIE1lsdtAJnP7_a48k|-<1hwj@5o{ zIUoJT-hQXjZ`A9Zd=BOdzswfR)R|@asS|rVJ@OjZ<(+MTwbtT{)Cv=Q6J~k*HwoCC z&F&XW_)B-mwFTSwaz%f)E~l5lu&E{vSmF*$zINfRLBfu>PuShvecIgr{kCHcDORGB0r@^Qx0YN% zAqA8&38u6NvkA)iwt3MbIS`RQx`^%A-V2z@O>f@B`OOuX(K&zA)wzMWB!Culf#6q5 z(9Sdh2Mbmiwqtv@rSuj}^-<0Cku&;bF*ALc3b1kcx5FPPuwWh3W5peJGviH9-t#fSMdrEBfAaJJaWNo3|Ew)6b8@>7Afe7r2$r%2E&!GYxE*$H|5 znw0k%?Y(kx>xzLf+jlU^V8ld(7LjuAAHDwRMXOmR3jdm`h2cj!=U=Z&RpCyqO9|25 z7;u#=w^ z9R**&n-sW{!4(ut3%q4eyh_B;48o>M7Xow79DS2em5$jO2eU17?;%c8Eb?mvuwrjV zIIfypO2}^FPeO+V3aX1Bx&({EqqBj;BMHd=&Nf*>yFz|slOYx$1#IHY6o8XP7AJo_ z;i;7|vUoILL5%b7$-`O@S-oB`{`tZ!IQBikvF39D$8y#iWL0o%eqE=VuL+J7(%Aqw zR@m1T9DB7KCE9{xe?D+*(Mi0Qaq{d)kC5XK|5fN%+$q6cH+A-Grk8&Ud~Auq&EjJ@ zr)yux;j^W7xe0)5iS)k>AUm?&!aRR^^O4gLyNQNJohz9XpRv`K1d8R`=yL(ZRye=C zXce6r=TT~$OLCvN3-|Wog?qdR12tLDg_Tq1slFZ)SaOgih1|MQ4PwZ1 zD{8X~yJF=5xH%qEK9&`Sw!=`E#D+buW!W-@3wdnC)!Sfoik%D{h)0SbEYN@BZMKWY zo`jkPU<>NQej7-^tYP}#Hq&bEdUqDo3;Y2pF=Frv^(SW-BE2=22CzLqExaN_m~2>H zl^DxYhvsN7nmI7%OH?L;2(L?(>yjlQ9mnQEU7D^BGMC?}WqU(keicE;g@r&9T$mbd z;Wv|e%kxFRzFP8zKKONHxwaz5)sehxkFP=5;Lo|YBC5GJf6&Y+KIQp79HH7efjCWh z#FGpd9DkrhlTt?nuf1B$@%>wcs3h==JdQ+(q?X`rXC4?6#VwE~@)k_(Qk&Y&45zzD zn@DMaMd~AIicZ|@^*=!l%0d*M1i0wEKWgsnBZ>(FIBc4Yy^eKYwho4j9vtp98toz7 zZyz>>Y;V|T?@_Bc?3ne=!NLBZ(V^_%&>D0a4S&{Qt$o@;7!b?`7}0j9o#3sqd~k{} zGjHYK<&ZJ<-~p|)^^<I{}=H!(`cUY3ORDX^k80eXX;*;loHTTk@kCtEi+Ygg?uzpdg)tmnvi*>bk}ab z@qfO!YL|i7t%dbCgV+OIW2N^nt>jmNjT9b51rt6AgE(#%6HV%$E{{DTuty^nD3nRP zE8`uS2@CpTnlA|51lQDj>^n%lp38{D6XlZT4mO_1N-jMVsU0v25omo-)(_T3cFm}z zT4csEw_5rqEC2lMD+YV$9#@rxJ49n1j(@skG{=E_*Zqy?;$PNIn`r}JEb zOxpMboggl}ws2wQcC2NM@l!wmKcFEebiH_oHXlcdR3lr*h`Y4Wx1l2sKo`h9SJ3#$ zlMQ~feBxb&V(vR&&Kr>2YO2-qbAM~_ znWC^E4Qoj}PbKHh{A-9WZog4A=dC@~U{bxpXEWN3Sli~izBS*Kfu)KQUfJiz|G?AW zvq)?1Laiv{H8+ZNGhVsRnJ+yKo`wGMY8IrtRzjLIiEYa3)$-iWHs!TVdA+>z;7d~r zD{)icy8C1$5g9S@Sy_*iFj7F4FRP)cCH`0icU z5>jj}G5-0ppYoI`v<}TNKJtBGyY?*=zgDlkD>h6HgAQOfDHwGJjz5w%ZGTZ1H|(&C zfO_0_?_tev_|cw>OKD?A_?>!|p~jF6^y$IRynZ5KQ+v9etqh`Fo}_&~m*hGLwOWn9 z1{>x?N&+@y@*ph1WE6_n0-Kv+f-vA@2mhdn;!77w$CNXCPc66c0Qa@d%Uw`MJ?gGm zJ&IKj=dTDRu!bYdIjLL~l~1Op6L7B9L408ack=r^_@bhzl3w?!iA-?KoQLm8&sB+} zNMy(AA#z|4V^nZmlKIfo$@znNdoOvFM10&ketCo@gj%{T{coA1uA!U%0h90>6n~Kl zg|~|dsD#=I4Hk_gm4}jSrmja4UfHtu08u5s<$1-9dV3!nkUWp_xB9 zM&FuSpS)Czetx8~{R_wFO$^qy!siPCcYIQXS4j_nH@I0?k3HZrL{(RgF@KJJDNh#4 zpHt(raQ!b669!_MRs9xJ+pnP;N+ofdLzD;|(Hk=+YPl=r)$w?AY!Z8RF0t>1#JdsJ zt41E@HfC`5Osts!-5pLjuSSo$;5%=tlY8}ei^K7)8Ud|Zj*}_aZ^uOnvris7xsO5n zTRRxo5lVk!N<=@tybT88R)6s5nuZTC#qK?xq|=Y&^o}m7eyASR>75>bygKXuBPo!t zjfpQW`zJkhL9R=vmD2|iQ^o7vUBYObV1TjAl_kUBVw5SsY{TR})kYP}j6c2{%GTgy zqx__Vyu@GqlWB=K3K=?uW%Q=p^}SjOHOS^DUcYWM7NPp;6*_PAGk;(b*v}TtCn09; z&!-hK#9>};EEcz?AVci*NPw&{j6{@BiV(~~is=ML+xil(mN^|OJvy-hc)XmBf} z8`|4+!$#5#?QcytByWC!Nn-*V>OXmMp*^=6d8x^T`H{-@FD1EF^zVTl5Crd{ z!S~SM$*DAWV!D>YgnUs|;tgb?_G9v`KZv0^__`k4^sM#{tAB*hOfQ@<54%d!&84^w z?5_~~fQ{IL?(Q|d{Jh7+2?MSk-$h@b#5jjt`MK@d0*g~uc<)EsabS>4-ij~q4u)0O zf4>Kd=JM`bL2t_OjaZLImSy1SY!JZXnRn;kGDFH+@1Y+hJZl_{KtF%;2ag{o*oOhL zC1xcgCB#^|P=D$1)H8$WL>O3)Kw3HuyFzEgIMyYch=Fp z=(0~a@-I8Y@0zbmHuCWeNi5?1#DU%LFKQx>%C6YZ!IC@HJ)OHL2aDXy63z)K#{ zm7G_)xJ!jOhEc@TZ0{F(>`$gjjkecnN-#6I1UArPM5^d*=&9#V9(&=y=-DF=IP=62 z|A^5EE|l7H$`O{rr&~Tzr;!4Q;j#&}pf1#aae(OYqVHn~{?sDq&-H`p74=38D%;lM zPY?~6(tm#6S9c|YVA^a1ba52209CAiS@cn%*EtHq^mocq)|w+8_Q1!Qi#4H%1Vdv2!Dtn9*BN=D7u!B zTz`71F6hJmyo=PY13aESz*@u>#@{afj-KN~6pM@A_=)iP1yN_#-TsvFdDbiqSJY**{*wFy8wfn__}k%Jzbq zuu}`{L6}7MI5@sb(Z!hp{2#|BpOOQyccTVx;GX6C!TIHnvWruP-C^dii}K_G6Mya> zNH+EtYCzrj< zZ8`7#==q7!MLngfy_rrZ=l|c{vG%rY1HTX0e-MHVi2)mEG9w5&j9(hku)SWe&N~e;o^@mM_f|JI2 z@vZB2W;1_rgpcISj6QhedD$3_!y&j|xQ$2JuB$s+XS2T&P*6h&Ba`nhrU4y6${GPR ze8Xs9ZDE-*(B^SV846Xe;IKfbmADET6@eA3{jr?`AX;F)7<7(oW{*uCM1KyJF0t-N zCMg3{EH5c%`?AE3Pu5!9?z`Ym*fK8SeG*mXnQ}oh@~J;=Os)sFkz!!Yq^2^7!)`cM z3w@qUW(Wb*VanjklT(D{v)Ld9MjfK1BXnj%Klm3APmBWgq8ju0Bw!yNPk!ue0N+Pb z+yGw?znv)*BN|?RsI3#*e}9;uQtX5R{Y9>DB}Z!Y&WjcC^3?b12SlGK@6}})X4(z$ zi46c1$n}_sVaZ&N>c?Dh+HyIKdDCPUH~uatK@c`}c2jW!OBMzLBOJl3JxiwFxsUta ztiq}5T@DOWqYy`;e2S<1k5vuH|1NRB{r0-ADY_SGb2H@+Df_r;HbnUhpuFDbLt+vW+&YOJe7D8VlPFrjBn~XUDG@lqOw0Q{Ok#s$2Pc|6z z5nY@UB1=npf0|vr(0`=)&N{8*0edoy7Pls=VhWNQ?OAAOIun@s$(jD;1+j5>z;@1j z#--euPD|GjvATeJr5Mk{vn^a-?snuwnB>YTobTGjJ*H_M_oj2+6G9$+Jnov&+!OJW z$0ll^)K#In0cZ;8?n4dSX6jsrc^y1`@_(qbNgr-+WlyWN3Ot9`TV}O34_m|Rcwh;C31J#Ce$Zuv44Tb=S)kusa zfOkrb0lc5Z^?%O4S#tbT%LPzJ;SD*>I%aPMbMVP~{tb5pUF-X^=qij=*!`~8bJbIW zWmiV81pyk@BbrQTsym`MifH&P1p)f}eyNNhhJrdc8$)c}oD9@DzX`(_08FDS=!9*i z!0#SvBJGj~ti|8?GtDuAU*fW;mL@iBL>Mf?jHcj>P=A1t2CAx23P7dP@}sZdSb&a- zGUZ+f<~6(qwp-kSPN%UYVgm3&iZcGfFm^FzxuzM@m)@x=+DQIJ@;8$Izm$Bn8=WaE zXcR&yK!KOue#QA8g7}J&;v*pR@KtYQP*If5Z4CaTKN%4f-rOI6JKpc_^!vY@0Ra*_;n9WVbJ9e>r1 zVgTJ|&L!mkZ@P*jDjh1EBdMtui_Axc7LM8Fcoc4Cduw^{obDyX0&xyNNHQ& zKRCby4G{U^7mOAvM+4q!2xlUN$jAYX8NmQif=4fxfET-E@;C&uznz`J3>4yMGKhTf z(!5SwA#%me!g$A(NhAojc^!RweE9_rn*0U!+^#wZh&ak7NJZch8bc+Ct@(7;FjO_1 zAb*zMW5=_vLppfjlqiRR)nC2b4k+3d3V=8nq-pL4yTUnyr5x>KfIKny7YSzh9XGpS zm0MLlz4~0KW-xP_jrX8lUpuflxO$UYx`J~ti2VKfmmwXhe9;3qBc*RK&*}uvjQk-c z!cZ^YV2iWf(Se|Z5eQ0R{giiSyWfAcU4Pw%y(k`RCrU2VuPjBcs+fxx*ep|1acYjU zQ&RQo0lwUqT>>lXg;R!CP}CmrxsSa$K?DrwPv`M%wre%B2G)Rr>9TmI_*@dihFMFT z>=ElNLeyhUCNr>h#i}A}aVFKUsZz;kOoKFcaaH74(H9=7+4<$kx?^3dPEItRKY!Kn zYRRrqmpPdlx|L#7M}hRCOg(|VDi~}fJ@sJCs}>xrmQ<33`MB*i713LP4>MZF?f?_V z?AP0sPqp38)H}~p&tMDm6my24kj7lIC$}eRK2pUL&ZJl+Z0yj+4!vwUq~?;bF~vNd z&3T{ipPHaMF{I5Tjt42VRAW3usef(k@Je>Lvd+!Oy;ZM9mNb-iBai)IkQBaXzPTM~ z|NV&DkruMGZb=r7yCMn7A>2?>*eZkUUnb=!TwD(ppu3)g7U}x0MM)m`pi8)Ioe;B_ zjxF*2$A9*I?k2gM{kQtcJtDc>GcVibo0mWA5^DX$TtclEIu)y3LM^^m;D4-r3AGf@ zb6i3#9c*(6_4WO?F*lb`U+g8+N2t>^)aZk+_mtmL6SAAXTy~e(X+7i7rLpt7(3EQ= zTbg8_G9`FNmtq}qkM4N9&RAbpNULASwjs_G6dzY-lytKuAuWwunJ zP_nk0*ZKE5g3m)sNs^=0Y1w-WE%!Jm<-`>FL+kBJfsga3eR*11*4vi?T3*n;lzgOf zby|LVIkc4A30|F+dI2r6D7_h}F-O57irwU55=2+60o@p9hhulQwqd((8({6SWL2cl z}THf|rq!xN=X85OyFy)s4EJJP@GeF001nLr7Jie^?h(v@|=HIgC76@ hM#caD5dZ)H000000RSKX00487{3|2|B`W{`007bLap?d6 diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json index 84f629ae71..4e70c0c612 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n 4. [Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\r\n \r\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n1.[ Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\r\n \r\n2.[ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \r\n \r\n3.[ Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \r\n \r\n4.[ Azure Active Directory](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \r\n \r\n **Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json index 7f7a56280a..1ea8e1cb78 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json @@ -78,7 +78,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Hunting Query 1 with template", - "displayName": "Attacker Tools Threat Protection Essentials Hunting Query template" + "displayName": "Attacker Tools Threat Protection Essentials HQ template" } }, { @@ -170,7 +170,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Hunting Query 2 with template", - "displayName": "Attacker Tools Threat Protection Essentials Hunting Query template" + "displayName": "Attacker Tools Threat Protection Essentials HQ template" } }, { @@ -262,7 +262,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Analytics Rule 1 with template", - "displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template" + "displayName": "Attacker Tools Threat Protection Essentials AR template" } }, { @@ -405,7 +405,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Analytics Rule 2 with template", - "displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template" + "displayName": "Attacker Tools Threat Protection Essentials AR template" } }, { @@ -531,7 +531,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Analytics Rule 3 with template", - "displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template" + "displayName": "Attacker Tools Threat Protection Essentials AR template" } }, { @@ -657,7 +657,7 @@ }, "properties": { "description": "Attacker Tools Threat Protection Essentials Analytics Rule 4 with template", - "displayName": "Attacker Tools Threat Protection Essentials Analytics Rule template" + "displayName": "Attacker Tools Threat Protection Essentials AR template" } }, { @@ -839,6 +839,31 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRulecontentId4')]", "version": "[variables('analyticRuleVersion4')]" + }, + { + "criteria": [ + { + "contentId": "azuresentinel.azure-sentinel-solution-securityevents", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-dns", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents", + "kind": "Solution", + "version": "2.0.0" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", + "kind": "Solution", + "version": "2.0.5" + } + ], + "Operator": "OR" } ] }, diff --git a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Malicious_Inbox_Rule.yaml b/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Malicious_Inbox_Rule.yaml deleted file mode 100644 index ad6d27ae0e..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Malicious_Inbox_Rule.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a -name: Malicious Inbox Rule -description: | - 'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. - This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. - Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' -severity: Medium -requiredDataConnectors: - - connectorId: Office365 - dataTypes: - - OfficeActivity -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Persistence - - DefenseEvasion -relevantTechniques: - - T1098 - - T1078 -query: | - - let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]); - OfficeActivity - | where Operation =~ "New-InboxRule" - | where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage" - | extend Events=todynamic(Parameters) - | parse Events with * "SubjectContainsWords" SubjectContainsWords '}'* - | parse Events with * "BodyContainsWords" BodyContainsWords '}'* - | parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'* - | where SubjectContainsWords has_any (Keywords) - or BodyContainsWords has_any (Keywords) - or SubjectOrBodyContainsWords has_any (Keywords) - | extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP ) - | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) - | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) - | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail - | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: Host - fieldMappings: - - identifier: FullName - columnName: HostCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 -kind: Scheduled \ No newline at end of file diff --git a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Office_MailForwarding.yaml b/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Office_MailForwarding.yaml deleted file mode 100644 index d98163c48b..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/Office_MailForwarding.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: 871ba14c-88ef-48aa-ad38-810f26760ca3 -name: Multiple users email forwarded to same destination -description: | - 'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. - This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' -severity: Medium -requiredDataConnectors: - - connectorId: Office365 - dataTypes: - - OfficeActivity -queryFrequency: 1d -queryPeriod: 7d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Collection - - Exfiltration -relevantTechniques: - - T1114 - - T1020 -query: | - let queryfrequency = 1d; - let queryperiod = 7d; - OfficeActivity - | where TimeGenerated > ago(queryperiod) - | where OfficeWorkload =~ "Exchange" - //| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") - | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress") - | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) - | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source') - | extend DestinationMailAddress = tolower(case( - isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""), - isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""), - isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")), - "")) - | where isnotempty(DestinationMailAddress) - | mv-expand split(DestinationMailAddress, ";") - | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] - | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]) - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP - | where DistinctUserCount > 1 and EndTime > ago(queryfrequency) - | mv-expand UserId to typeof(string) - | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 -kind: Scheduled diff --git a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/office_policytampering.yaml b/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/office_policytampering.yaml deleted file mode 100644 index e75ce97823..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Analytic Rules/office_policytampering.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 -name: Office policy tampering -description: | - 'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. - An adversary may use this technique to evade detection or avoid other policy based defenses. - References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' -severity: Medium -requiredDataConnectors: - - connectorId: Office365 - dataTypes: - - OfficeActivity -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Persistence - - DefenseEvasion -relevantTechniques: - - T1098 - - T1562 -query: | - let opList = OfficeActivity - | summarize by Operation - //| where Operation startswith "Remove-" or Operation startswith "Disable-" - | where Operation has_any ("Remove", "Disable") - | where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit" - | summarize make_set(Operation); - OfficeActivity - // Only admin or global-admin can disable/remove policy - | where RecordType =~ "ExchangeAdmin" - | where UserType in~ ("Admin","DcAdmin") - // Pass in interesting Operation list - | where Operation in~ (opList) - | extend ClientIPOnly = case( - ClientIP has ".", tostring(split(ClientIP,":")[0]), - ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), - ClientIP - ) - | extend Port = case( - ClientIP has ".", (split(ClientIP,":")[1]), - ClientIP has "[", tostring(split(ClientIP,"]:")[1]), - ClientIP - ) - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters - | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file diff --git a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Anomalous_Listing_Of_Storage_Keys.yaml b/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Anomalous_Listing_Of_Storage_Keys.yaml deleted file mode 100644 index f8f2afa2dd..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Anomalous_Listing_Of_Storage_Keys.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39 -name: Azure storage key enumeration -description: | - 'Listing of storage keys is an interesting operation in Azure which might expose additional - secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this - type, it would be interesting to see if the account performing this activity or the source IP address from - which it is being done is anomalous. - The query below generates known clusters of ip address per caller, notice that users which only had single - operations do not appear in this list as we cannot learn from it their normal activity (only based on a single - event). The activities for listing storage account keys is correlated with this learned - clusters of expected activities and activity which is not expected is returned.' -requiredDataConnectors: - - connectorId: AzureActivity - dataTypes: - - AzureActivity -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - - AzureActivity - | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" - | where ActivityStatusValue == "Succeeded" - | join kind= inner ( - AzureActivity - | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" - | where ActivityStatusValue == "Succeeded" - | project ExpectedIpAddress=CallerIpAddress, Caller - | evaluate autocluster() - ) on Caller - | where CallerIpAddress != ExpectedIpAddress - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress - | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress - -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity diff --git a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Creating_Anomalous_Number_Of_Resources.yaml b/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Creating_Anomalous_Number_Of_Resources.yaml deleted file mode 100644 index b4e443580c..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Creating_Anomalous_Number_Of_Resources.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: a09e6368-065b-4f1e-a4ce-b1b3a64b493b -name: Creation of an anomalous number of resources -description: | - 'Looks for anomalous number of resources creation or deployment activities in azure activity log. - It is best to run this query on a look back period which is at least 7 days.' -requiredDataConnectors: - - connectorId: AzureActivity - dataTypes: - - AzureActivity -tactics: - - Impact -relevantTechniques: - - T1496 -query: | - - AzureActivity - | where OperationNameValue in~ ("microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write") - | where ActivityStatusValue == "Succeeded" - | make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller - | extend AccountCustomEntity = Caller - | extend timestamp = todatetime(EventSubmissionTimestamp[7]) - -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity diff --git a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml b/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml deleted file mode 100644 index 6db8266a25..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: 9891684a-1e3a-4546-9403-3439513cbc70 -name: Mail redirect via ExO transport rule -description: | - 'Identifies when Exchange Online transport rule configured to forward emails. - This could be an adversary mailbox configured to collect mail from multiple user accounts.' -requiredDataConnectors: - - connectorId: Office365 - dataTypes: - - OfficeActivity (Exchange) -tactics: - - Collection - - Exfiltration -relevantTechniques: - - T1114 - - T1020 -query: | - - OfficeActivity - | where OfficeWorkload == "Exchange" - | where Operation in~ ("New-TransportRule", "Set-TransportRule") - | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) - | extend RuleName = case( - Operation =~ "Set-TransportRule", OfficeObjectId, - Operation =~ "New-TransportRule", ParsedParameters.Name, - "Unknown") - | mv-expand ExpandedParameters = todynamic(Parameters) - | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) - | extend RedirectTo = ExpandedParameters.Value - | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] - | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress - -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity diff --git a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/OfficeMailForwarding_hunting.yaml b/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/OfficeMailForwarding_hunting.yaml deleted file mode 100644 index 9cbd44496e..0000000000 --- a/Solutions/Cloud Service Threat Protection Essentials/Hunting Queries/OfficeMailForwarding_hunting.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: d49fc965-aef3-49f6-89ad-10cc4697eb5b -name: Office Mail Forwarding - Hunting Version -description: | - 'Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on - victim or victim's organization.This query over Office Activity data highlights cases where user mail is being forwarded and shows if - it is being forwarded to external domains as well.' -requiredDataConnectors: - - connectorId: Office365 - dataTypes: - - OfficeActivity (Exchange) -tactics: - - Collection - - Exfiltration -relevantTechniques: - - T1114 - - T1020 -query: | - - OfficeActivity - | where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress') - or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo')) - | extend parsed=parse_json(Parameters) - | extend fwdingDestination_initial = (iif(Operation=~"Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value))) - | where isnotempty(fwdingDestination_initial) - | extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial,":")[1]), fwdingDestination_initial ) - | parse fwdingDestination with * '@' ForwardedtoDomain - | parse UserId with *'@' UserDomain - | extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0])) - | where ForwardedtoDomain !contains subDomain - | extend Result = iff( ForwardedtoDomain != UserDomain ,"Mailbox rule created to forward to External Domain", "Forward rule for Internal domain") - | extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP ) - | extend Port = case( - ClientIP has ".", (split(ClientIP,":")[1]), - ClientIP has "[", tostring(split(ClientIP,"]:")[1]), - ClientIP - ) - | project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity - - entityType: Host - fieldMappings: - - identifier: FullName - columnName: HostCustomEntity diff --git a/Solutions/Network Threat Protection Essentials/Package/2.0.0.zip b/Solutions/Network Threat Protection Essentials/Package/2.0.0.zip index c4e23e4f9f4591db8bbb4245d048fd1dbae52a46..8aef58565f60a70fd0f255a77ecccd724aba7683 100644 GIT binary patch delta 9616 zcmZviLvWxC)3sx3V%v5yu_qJTwmC8G*tTukwl%SBI}`oSyZoyDUYxEvXWfhLzIxSi zHSiRq!6DE=KtNzXo}!{v)h^;V0}(+$A{jwIuoCBJaqBr+KmojGYnmo>C~bpu8H@9@ zp3DVw)|3i%`dW+Fp`_WO1q5{}R47`unysiHZKU<$n0nMKSQ!3(=;g7DADKjJy7gix zqwYzjX^K~CFWQdQ9^R%Jxe&?n2+~IwTOwMHk`;Xh4DB5JDIVpRQpK;&1TfxjY2kco zu+#+EQ-o|e8Q-Ad+=<#jBo=VV=(kv{XIC2O4WcRPu|7BtohvRY_u{4N3!Uq0im@F^OGX{*P}~P zMV!NB=C;M3)KN2qRV>!5F!3+aYz{MpiX+FOy^52*QNV`u(jmOO_nSdxzhRx&p05++ z(bz$g3!1Lbw5j-Tc|OWRVqNJz4GQ99@5& ziClx#<+2JI-i#;t7puIg_fgKQyB3_91xMna@j~%T|KhZ@!Z2O-nb<4f&4fn8D8AIc z@sre5515y(OUVSb_0f#=qeodW^IkjAT2e1B{j&q30Kd5H@E=p+v&^G>*vgypIg#<@ z)H@zVeTTl%W;Z4|W$lJczIFu#06U}fcm9zl%z-P1-Zjt-{eY|7StBF_ z5Mxn|phQz>7RL7&9e~;Hu8>OKr~Ccz?4X;5JZQ>h$8aLg^CesR7dYnLhwR=ErT%UYXbB#L*grC5F{$}u8IxV!3n5TK!fa^B2N zudk$8{UVQ_P|R_ix_Vp=z}zMNwdaON4yhfg2?w~j2xRCJVua@l=vs*j*f&fwW_Y}k zI#DJ9J%cfqb5xrx&)(3>BokNu7)tq@gd<7lE(E0-kwOP4TA!j6xNjURjifA41g$bm z$t+{JrcpU13c&%&dItx!sv21^yd`^~kd2eKOpW1UI_ zN0OtZ8xnLLyA+yn%lc-iLN*oPRHXLDF6-`fSJycyj;@nhj5pqTk%wn)O_&7Pf22uj zqtY*YmLj|0Kffg+gD-Q{gJudpQUycrknF^wB6&*&7oMFAsCA{jo&6&lq zN5V}xUjDLa1J%flw*bxV#kF;rjEW3lCUU0Dx50{EF z;kP|qT}UVHTx(a{CoQCJPitrE#*WYWj!zS02-lX~;6jOZ*3KOmvhFc});(9@?k`r) z!FvQU&hFF5iB2O?LM!X-3LIZUzYQ>G*IEb%5THq!=yr%|;9>J2s*ujXILjw9tC5w~ znO(_c?}Z&wiCmB98jM8NsE^ff#a^pzfV8xbK|gv`WwcJ`0Dlh?bSqu%UUxJ3 zl}{+BRJN;aI1I`oEi2tZo>=P&ZST}a;oPaqu)CN@`R3^4D+9o})uRTQ=uU)nC+4yp z$Ds4nR}AV@GeyO1zXyZSkDu#>EtQnt)l!@S-vo3E-Vx>;)-q&#Y-K1@*yX?w(ul%t z-rT|R(xT_o0e5OvWR|GzdQw)nCwIMxzm%I|>GX~4Ycl~Jpr5g8t;>!~FWWjA0-aCD zw6{fT$yK}9fCen8`5#S5B@g-cnEDK*s9BEx?O{59tfnhV_tn9zY_Q+S{-x!-@KS$P`RPD}BIb??zllt5m;! zL957{EPn$b!IyJub6t}Ywe9ZRVyJ1yX% zZomyebfkEz#Z)Gvh%cE#4=do#127`23>C=jM}LCSaoEk5M`%NV8Iog29I0ONq6WYv z);mD{(mk#Wkrw2t6r}^d8LWNzThk4_RP(cN>edfcv_!{aJT*ia3G|vjgjl*e$IiP# z?aGI=^Lc@n9O z)NDWiDfilKS(4@cm?9!U&EhWv(gL=BCGD6CBK>WZvfu|ti^V*1;2E#b?puf6$s93?{-5-Lh(ifOO~hFvs^>U%f*+oeJA zPH>=(s|M9uVgAnmkGq>|S_SJ*XdO8mJF~RZ5(N3vE~Ge7GUK*b39_lu&ak6YvyTH0 z*`wA$%4edO0*T~ZI|zEG6DE{WQzKlL3|e_BOoTMGoA z&u;C->%J?o>v)cHL3Y7F83|E`y1N*aD5?Qx3My`>W_EqW&~0H}^$Zue+x~r<3*uac z<$rd3T@-AG8lWv=#4v3}$K)(E6pBkN7X6ZO1WR|7Ip;l;0U*HfwS<9k0a{v=VZxdd0C{6jAZewATa>!nYXpH%)K%QA@{% z`XdfzkA(_e?<<|)zidEc_$zjL9fHb{+`4Z8CTZVxKKZ6GC0CQmTg&s^x035LC3h3X ze$Q&BaER*2-OlcXVAs?-RILp|7aX8zOG;_RVE*d8Z6WUK5yi_M>n=|6BZf&NiRV)} zYv=_0P;O^~$*fJp+%)ik#wK^=CcJ4lKtZlOtq7JmDV{c;p`VTngZx>{uqq_aD|b`u zOwZ<)eaYPh0*npP^4AUuWa^K5TvUiv!eyA71tW+JINd}tVo5b=%mnyvS}B0^R1J?< zks`llObmo0A1v#ZNxX?%s4@c|w29)VZZ+F_8tV{CNj%5m`jb9J;Kz!uZL&Xi*|f=z z%Y6%Unq(gq8lzg1YlkY^O#{h3D!!-7=X&^8egCm-c8?gjly@;a{E^untm%y9YU`Me zZR$chHjc~-y$8yhy(gp+h%vwb>yY|uRdSa4X4<@2+ z50O0xGfk1!7q!lf*`~;Vlk(+TOn76e5k36tlOmPXuZqqeX2}_c5m3&Lnv8=mPQ{gQ zs}k!jf4EBWlm!}Q3I$CI=HS(s}qDkS3+XHUvys>#b1$S;SoSlxRx3wO$(cey6ooK zv88QoUXWd}NCK~^{$P96nP|v#4>ZGET%Am2t82yAWNYN+FG*cC$*BQnEhY4sJ?!R# zb}q;pJ?U&jVij#eA|8v67MHV{9~Ev#{Y=27U9Dl;PLmtK##L`;f~E4&L>Cl`hO7_ z<&h}3JHX@gVr2D^xc65g=YVd^=_P7^+?Ld8%?IR`6c6~y3Sd?uT{;nU1`s#!rmtRRJ$;)(X38?)&c_*i zJzZaZDkiTkbCB7mJ6=uDc#+K#G}7w>RvDD9de-rb1b*^UezYSFF{T?VT*n$AQuljZ z#id!+BgQ*7*S_f7(~M4c!0Sq{4nytr?~_9VWg~rkOCHq1kh&C!pavnKd+63Oo{x&d zx%<_=?kyX!ICm`m0uD2iS%O%S1DNX~=>6Q}LFCet&eC`2clV)}Ef8OMJA77PiTtx` z-=iJ)KZub=IC7l3{A|Mt*c=eJ#n*Qjz**$Xgr?K^}}57IrgxZ?FYn643|sU)@=RFe+G-f7???KdrKa_XxfdIGZ7o+!r&p2GmBdtWku@ z>h&C!FDJI9085!D!sc&mN1aK){BD8c439zzK@Mg#O}q_3#$RFJ9(wQdb4zYF7(wnB z>*6OL?JUvez=$2|1Nj)oLEX9MLrLU*(k z=qhc0^%_Bvsjo(P5qFW$D0?44y1UJo-2)y7QfT*;`l`w}&e%7Dvx7b`ii9DNvh?Rq z@*mSI_XOcC=LW2Q{=5QywlHbki8#vTV1Vb0hcWW1#~~6{+=Xx%#D;x)(8MEG7?U)F z0D>TnGKoB~rRyv32Kof19~4?1$3{Ku4lWT=bgS9k;I+NgxHZT3P-ZIV-{VnLI5=Ko zSpX>z4OTAT%S{-V*aZ!UHf1^4xfa8vZOvq}>4b?+U@Y`%M+%-=2oWE^?jlO-OcS>S z`2>T`u!qw$7fdSZxv~J|#0$xSzhBd*f5RC>*8gpTb*D6u=`Iph)NJ3ezw zjP&SzHs&Cbn@=<}!+g(72=^yny34R78n8rBIKY*MV#J2DL#qS+=3{}^j%1Y|wIdzl z8~wD3qVEIKEr5(^jLk5R)kIwIl@ODZ1dA66&!L4{B6b53+H}Ie#Gl2Bj6rvfhE72x zAG2t1c0GJnox*uh2(dG>$gd~hP+8`Mb92sL`ixpM!Sl>dQ}$Zre{|qM!9d=Jvry>4 zq{GLPo(_t`cXk8dyY=9H{l>YJ`g-x)ig*FRp+51c1Z?Woo6B5~b<;gp&s-$3;3al& zeVKh-8@z8G7z>q2IqO@i+tjGfqWN%D3nVDGoObFL^3W~1W9F`id1JNv5(ojCE;3V( z{3|tto2;Uba=lbeQ`qDG_N_iS%CSA?WEgdBtM%BW#Vw)uif1g<>NCwdbBL;e> z@CCkS5zpP6)3O4kA2K(SbFiuTfqP)#1xcJKrW@q$Qc^E^S5%(M@IZ`0&k2XdQ zCK-RgoE-uYZ&|_=J$vP=LuS?llQ({}Q1RBO<{qiNTSmTi@hg({x3rXWBV6;hkdheN zRgTG<)%BFD^8_Rp#^5wj&}^ruF|}@;<5T3!H1-4ywv+AKW6MZKxXmB9kc+kV32U`D zsTo<{&;PtjGCtE9J~Ai_8O$Z*YsNqO;jb>1TUUVkXPn;3Zg!7|B&%r3*yn{qkC^{j zwQLR-L$~vSqd*SfXYo7Fx{lx7!biDzS4t{vVz6$|PM%}#V*IT-|Nb>cs@IJyocX%DQ>*Gt z8Ua-95d(YBF+T-YGi09Vh?l^odk||1NGT?y)yiDQ1U>PN?sxS2Z^U)idJeH@y(dIf zKjKGmKjse(C_ilV)C}Zm)hktcI0`T3c zliziZ;Ds)pIK8@ib-$=-+i94oQ{}FEoh4b>-HpK`vB$qd_VUJd`d`9xI8D~~WN0^EtECDE?VHzvM5GGNpqR1# zUJctCQ5s|EExu0~(MH@}@TeTuX4tlRSjM!seZV}b7O=rwvMkDwzrRMCtQ**a98kjR@%1@JtHq{YwR6;GA|sOXI%m>C|7V+pu03r zWRtl#wry@pW-?{BZSKr6xmw+wGr4G1pmZ)CLNv?OdRi*2*idoRcyy>{5(<^->BEj` z1B;O50$ED4Dm<$(D;-O2ZQp>HNH1{*b%A6|=yz%HM|>V7f@>q?$DD`Ark z0+T6`WImuOXh~G+<3^S@dlBod9u$_EaO7^YIBEg5%A95+HK9kp&QX9BLmFAts)&gY z1U%z@rmFYa~zSaAm4hOGc+%RvPxkrLBtbth}!FVUIK- zmQGnEL$1QNdVkZ{+;B2A6g0Pt6d2v28VWLKeI_U88vfD2+MXK6AO(wn z)jlHqERYleW%q}ys3~-eKo7D;$O(gv?x(b<=fiReA0|bf>FtEOc3ys;0^H_3t>f@m z-nzQK3k4Ck@fv4(TTkrPPSNa7%&Z(1+T^huDJ!0zX-T;uKML`iVZO~z2jA+Z5 zGD(i05a45_6S(u^p6iC#pb=pl86P~KL2PH9n1vjyDM*vq00EzQvOAjAl?4sw7;0ks zFBnR^(F-Rdh|o2uP#1)$UP~9AB1_};!6IWweT>WtDJ4Zl(m^@7K%-|BFPpX0tjbV% z*DScXDg?=(xdULYj`O0HY^U@(Bqn*~pelTo zCep^#5nGd?hRdO>2Y)9=ew&aW>XIxTQQqEpiB-A$xEqc1;!D-pYKpgL&Ujhf7C z+J%CQ8+a`#I!dHIiu&g(Ql~hJta0r3STID9Tladu4F|wOgM_}@!DNLyV=ItfQVbBo zvIqIWk`j~{XtRnF@t502lYcEg#r|1 z#CnxN>@$)eRV4#=jX>!BSAoWn+_|ZlsC0ZZcig4t4;#xoIg>^|SUcbjEj2!3vORwP z89xg#QxoWj@Qb%_kH*)E`@K*H}&lEg8){&ESrz=4q!@VrN{CNnzi(Xn~49N zX)E4lN*tewV7xuXq!46N8Ic#Xj@8>&<(Jawi_Jq{+`pJ~{-V3#e&){*wZk+yN^Zkn zkHlb$@JcaJmnfAmwI;*Gw4F5SEl1F`1z_62I*(b~BhzES_8JUP@b*{~%6PJXfI8J{ zoF8!Z+&t*FZy4CKMffx;o$7AyV-HSb^6)DT?vUzbH1|B)ZS;CJ_uKNIs>JrXyS>yN z`KD)g<#zHUHzb4;7w3RJZ;lD#;p|HqOq8Pu!td>Ebw+L!zsBM#bv$(z79=_cuqq-R zX|Ww)u7btB?!!GcoSU`xy|SKW;pcM5@BtngTL^q{HjsQXvF&3^KUu2c%*Xg}Lpbpz zBti6fen6GJ{9($0{i4kKYR=8AB&;U&P)a){lz29_nBas`RJBoGP? zWVWnJ;`qX@J(Mr3{e8%9k*DukUWy|}zb|?9OH|&m$KFyEPySB2pZ%5T{kaT7SPp>4 z{_!_2o@OgJ#`*am_TMCv%NLC)3*V_o@nQU!mGmzq-KF{Vm@*-BO#5|t1PkpkA&_$) zLv^{wV(&hX_NztaJ9RE!+b%8r`Ei)5@76xDO2F zm1D^6Eh@~+)~3)5O*Q@P^pPW+0-yT4x9T*May#<`{%5N_QR6&@$iE+6dD0+Ph`I&~ z2%Mfks6S}R^gyl7OX3f_>4}^lm(lD*$!yv*GEFoV5zKXeD z$m{{Lk+x7^T(x%*m1bW=4sa5Far7!w9Q)zlhLFoxL3&-nfiimpac`6rMM5pX))aRB zsbE!z!4Js;Bg`1Wi&5)4wm?bb2FKPU6vvK4kC%B@o%%O z_m8R1StQIidh*jD#iZnZW9sr>b)EyKoliu&&eCtf<|hm*4sC5F&*0PC!j>MT_ngAE zo`ClqHJ#YU$37OSxJKyRE`GB~-Y{dMav$29`&^a~L1mY24dZX>r6-PU?+$vknYs4N zeCJ`~_29ks9zH&KQh*U95mq`4(m2QJ4c2c|Vzpk%SPL$$mZb30-SaT=gD~(s@{mCy zRdIqbjp7LpdhY;!fLpA*E0imC_@!2O23OLY@hcIU)-HXJoCloB^B@E{XyTj6K&-T_ zrtF9Nl)-(y-&{EcR6G20G6Yqh1Zg@wEUc^1P%v?N;GlvMIItS5F(0Q>ORPsnOV8*z zuT)h6txOC%={262aw}#|B<eEkDDnA;TucB!4P=(8*DA3 z2kCcg7No{vHPlnk{N+t1lPPlMH-aY(;)ssd@FTPPKtTFZB0NFZ?HY-L=yj;uS^{wq z`309<$>Q+jGH2W{hn7sI2U-KgisDs6gm@G7Z?nxkWtJpicFemJ&Y}i?Y+Dfal;D0Z zX+7$MZmn8@R*gzF3)Vn~=5(xfW}zag>Np-?9VsKanY6d=j?u2reesKGCy+G)Jpt<% zODJL@uzTu;d`a<6`b<_^f!)t0e9(jjH%o*w8~i6=NK%LR%K-fZPx`ySOGo{yP7iKi zb!R&wEm}8A?o3^zB$DY`hmCAOUEwNp9u4i;_d3AXxwOXLIljb(i%=M<@omRL`_tK>6HaKM3I@+dXYNR56>!A+r_#y4T%YE zfc`ao&_v~DsP;xiqwJ24`b=Zu7wgZIeSJ=Yw2H^7EZvkadfIjn-%q=df-&jJu7#%7 zH|EL@hXd6n4-5>l{H^M;VtOrqZN*kQJPd_Q{rbhv5?^s`xk9Vn0xN%x7-^y`Waf!lW5#F066x3%Mk~+$rBC(DC+#1|JtwR45vGS%MZ8p z4M8JXl)Ak{ccQPrh&c2!ia(g1){YdrClJh{QlTG!u?jjCSVy2dH^@+x{p023KS6?` z%g5p0|DX|L8F+Q`ia8OWvLvn!YKR}Xp-TJUhnHt${-&Yndm2OT!Y2SnM;G=0AnOud z344e0x(XqQno4-x6NSS4l*A~VHz(&Fj2{aPRv8hfW$v1=u8j{x6My+25Y8yUnM|_a zZ|O&-p|yyqToK5S{4$Wa9Bj-=0lA14xul0?pb{}(@e_)zVQCjR-4S^hoySJ}wmsAj zd$kOkjIYyHmdcH5f?Xa|GxSsd$cc%#D4CderCFfXkcsAvohE-wi^FA3y+Qi$2lGEs zoy^iRz!ev@AOB&WwGv{z*E?6ogUW!JQ{E(QObQ~!Zi+d>m0%4f{|>Oodf@J$F%x6W z2Q>CWSqYNMEvhQQ_0yO>$NW;Za@0ktFU?}_8Ly!I8&}v>V_o&lVi~7^L)*-oTJ&*C z73vav%fD-E$8tYSEM&pl7V=LWaIhCj@*e1K6>l-VxZFc1$2ajWbOs4>0JUcl;4?QMHO(x&?(wLXwOU6B5x9}w&8AL)Jr;H5CTS$_2K?*~GS zu_=%_%e4F<6A$8(V>-q}8%TU%*rZ58Y+fZUw#!*~4!W7J4ph9Y!9I_p5pMa++}|nA zhbM5m6u^7mksF6@r8Qc(ghU(Q*V~P{qVAMD&1K`S6ukuoTC|4DN^oInp!Jy z?-rY@MeV5blayElSWZshwn2R8DBwE4y>j#6Q()q#`) z+IfYa%w#z2B`aY8_k-mkxJi$un7nRpIfd<;lzaoX6aPYiU*3^5zJm};M7CWkjqbJT zpj_ph3Q@dwCfgS@x0KP_7g}B89-g&aeu)#kT-z5++g|*EAhyKZrLI`3{Q3(847`;U z%i5F%GvlyNzf?I~6^m*p-v}}vE8U0b`K*FQ5C#g`ZyZ^L!b)DzQg|a%w*G?9 z&NINjduH3SG-+fNC;n|{6lhAT=fR!3H^bDjTBPG;K{Wb-XJNrMUH`VQU=y>}G+olP zdK6U8*Gu+S+z?lD2m#vm5R^UJCh$~j3A5xk$MymvpvP#s0C^%2;&sy_MzZf4j%}~H zzIc8%#?mj&kc7{qqYc(D^IUer|GF?t}4NpZ`Bt5Ixtx{Ag!<3PmY zH#7H*2ko3&`CRSTw4sM?u% zyi)(7&Fw1o)Jp2A73@IzfFO}SOA`q_uxtJ6L-*2?OjP@{rN!fm9(%NHCb?J=81(D4 z7|PnoS9R$uDK?Tv`)J?{M|m$~{x)ufg$b>k4WFkHU*35s4A*?QsbK!rko|CV`ldH9 x_Zw6}8Wap2ySrO)cZcFo+}%EkySq~;EiUEa?(TMxi(7GrV)M^xHnU02 zNtRjUdGn@FuUm&$O%VDoFqXIsFKw+#P5PoVM6Hz@+6AbXjM6viM z`wC2@r3BaT?M7NzQoYtsGhb;x>aqaZbn6y@WOl4<*E4JCb+;r|&$x6`CGi6k(K?xh zxE7<0b!Kl}X6ylWQY%7hE&uyhopl3J6T&4rfqk5Q4PWWZBps3zT6O|OC*?#dP_ zJuKK^@_x=X>}f$f^fH=!@0}^I>3Ur&2;oJy<;$d9yeW7U{Llryatx+bb82NKR1L{C5VBtz~DwDu89{um$9G-U+Dsljf4O;`n^_O6p6itn-xRJ*Vw}T@Z-E7uIbatKwlWyPG~aR5dJngUf(%i53qiA-PZdQYJKRkyoPs;>zZ0uLCBB8$Y15Gw$P3_!ds2= zDEk{M7nj!dZ^bg$hOj-`V!&}8g|5pas1-#zLT-{T25l6Mj=lb0@HK8WDC*o@COLm{qYd0L zO+(x6)ZoAq(T1|LX#KpCV${Z2luFCS+D6c(ZR~3ArLqF2cAAh^7vKwBQnD=a`s+3D zrk3brleZ#A+gaU1bZ#fUc`b2Yx&H73J%>6054OO=EFJ;Wqy2+ou9IufFq*K3faN|0T_eP#Qa-A-nS+U(Hz0|CWLi9Xab8pF)d^paaGTAXS^ zM7vKfKCdqaEaVwMl~Rb@O6>iekgd&_q8%#SX6OjFvYJ3Lb5U;x<@JA4PL=km7DSZ( zD$+mcteLYl%=>qfm)0ZM+A2Y%7mU3DD8x1e5&LCh3Qb4kSCf|5I%y|5eh}(38+L7Y zI-bOn>o%Fy%v`Wdu6mAAGgr*SRjI%|3p^7^LjTl#B24tHML!vXS2W^|M3-xIS=;7& zWs3aSpipGZh@@OzquH)?qY~ko@dNDfR~yOg^O7{W9U}v}U_<_}0`(*#w93j^z(N^4 zkg4X(K(BofeVXH0NP&Gh<98p@Avj8U&n9uTCg-KOV)60CyGrhcpmf7X6OAIoNS z{W8#d668Lon3-W5@o7QZ%V`y^ko-;7JM$&GR=%3W23{`{UAmw}DOiC?GmGV=GfMH~ zmPyATHqDvZBlpYPbXl&U(6~&$hvr4CiW5XuYb>=o?zT?w6SK9{KvI7tX_B zCDi0O@oE-+j|VKe93NVH+E{G`KHdebf**=jdA_9)lB$`Hq%pBQ{csth=;<8BvMgVo zk5^r+=$tOomL31=OG*lD1XM0GGSpz>W~`4T!%phe3|@~oxb3&cD#Pag!rrhC8|Mr! z(FjIg>8q)|(GruUb1IVvR21~5|BLz}Yub^wif!?e3(-m?SSNsn zbVQD5WZ1p;n}YecE?vZ62Y1)H!56EHOi0v6)YVb^_FutEbvUJzg8-%J>?{H<=ufh} zF+n|Jjb1v#r^u_^ag?Ta7&Q#yJGmf%7AY4a_Fa**k#8E6>&Hr%89qY2jD#S;Aq~gC z)L;h!B&2=9k64U0$~)Q=9fMc$}es68&Z_Z5t(j8OF`V68&M;ChW-rzy4(| z4iK&_ZzIvZvE~{xDnDza1I={#7Hrn?QF=P7PG#4!Lec*65qM1#9o;e<6 zH8-w;Q!3vAZKGq7Q{!}xOMqwdz3(ypPvTes(x*a>UBVV% zfv0BnJi=G{1?bz|c@H)*NHg&-J{yTyMgLc}m(B4M6V_=QmWH&?5XOKUL7%R2p)y?3 zY{fd`N+ZfICzOv)wI0PAG*w|sUV2{<9h+0qxb!@LXVDt&QZbPM=$f=J^~dgACaj+- z@3?eVPoUQMhkGW%ni+k_RsibS;T9zV5IT?Cf-aIM~@Pb2ed##LOHDji=>Fry@Uw9n5PU#KQqfrd0Iz7u8ejc(uWk1 zmNdN67`6HX297^7Je-pYty|Q<7Bff}CnJ<(Vw*uZ3wR&65H4M5=uIj=%8!p<;VNze zND4J(^Ze%7`*X`PtG`OTqsu~4$S}c{Z?Pv>PacIoKYnxhB#mjF^T9IQ)GkrV3Q_WU zG@e>`kqU|<;3YTkFH-xdS9it71@Djy1~96{R7yf4&1C5Gll5_>?EB*ztc&=KA#6%v z`lt6Mh3lSG-^?@k+{K~r(^$*7vcG;MK&{pT-rju=T<%oFev_Psl>`kagHPQcHfKn+ z#2&0e8pLa_p&Qa8Mb9Xohe(+T@ic2)So-{)pWF`9bxQ5&mcH45KMGZ+E}FDeGmMw9 zO+xAnH~PIe2McrGVgFA6SSPz^b5b0w43dCAheaR|_J6X#(ahHA&+3PMctAC{AXqsn z1&PB^b>`P(xmNKnMjcC`lM`KVqkaV|0qKRb{`2ci1x4x11jj3;%3rL3CxkB7@1UDE z7la!wl>7bNv+WYh?HMe3;g;~dO;nXFERr4V2(@62l0O3eA1N@quVq6U$q`h4SZ!yOpnOoZyZo;BQIgk)Dc$kJHMDOlvtKg`L{)i zTL=NWm+D;OMn z*hBL@11a|A;k?so?Z2hft6HscsY;j@2+Ir`=%))Ry7<_n$@4NMb$DzIdyYg!t7$|Z$ zBNONE{#iNZ^*P1H@x;a3aB=&G*CnVw@%}#8)%^ZS!>pT@ELI!It2OcK7c5A=l7rXO zzxRfa$uhin8#(rOKkxgu-wF;VImyivEnfR+oyms@`Wb9IfHF=%Em$rSqleB~{F4R$ zaKl*^u{*OQ&65jsPIHQ9xBkN0TMRYN8o%{X?B&FyCPVk3)ZML)p}w}3`*XCqq@E&` zgg!a>Q>dZV=OAr28()Vls1q-xTt_VFED=}3VZv}y0KE4c+|~5hcI5oc#{6q&pzzMK z6R4Yx4g@HtK=tiZoKQ&23hmjaOdUg zT_f$ab*8~({u(ZQ45UL@7e4~ zbN~T5bLd$gEr&FtgZB}d7;zkPA;AI#;yHC3f6e|Mz~?yUHvS_GB3+op1f>yTnK-@K zQ|RT}n-kro1R~u{>>UZI_FqgVGYh_K-xLSpk&mEkpG_!Yg0;EP-&8Yw{(W_-9-rd% zwa4urLHanKBcU>2kVE>`(kaFmr*@T=28l+I1<_W5k}$7j^V0`VWIyzt$)REoeeXR( zprzIV_=8F{ZYS8L(8j4EJW37~fS|qhd?xGRg`a?q#+7S*7ZW+`s7E>#c8f$Cxg*yK zIcqkOu=+8egfPv#1BOacg7bN&ivz zM6ZTf?Fh?tTc&zrA^CNASn?N7&tRIT68I8eBDBrWK-t%Zy19{myT;SO;m5%?qpTbQ zGqK-wEv6Q(jgZ_i>PdKH@Jzq6&cY5uWR>g6s$@Wl*SSiU(y%nEl>}O$>#y=VZWO4v z5d7o>gn&$(5+w3j_cF`i!#lHansad<(^K!1mM=_l15!wVeifT=u@LJI!3D*J5u2jY zM@|IfxFd8!X+9K|tWq&WnD{IXFBrkVFa`)QF)$~HSa1*zO z_ql0pGmQH~RvQDz8TQ8MV((B}u2#d(&fCJjL~aE$oUu+JQru>x|7*3_=M^uCLI_VV zWp@lQ2eR8T2gm$_QM;eZIQp#2YrzPI1+`*)<&}`;V)fbIYy;=Y%ko9yL7xerup>`| zhszr8?$<$~JSSb4P`J&+4PPq83(?bW#8LV;2`nz~%4AB1hZUi>yL^7DR=jm)gEle3 zy$CUGBf5MnxNd}|;#O~|LW@y#T&r7hqkiTC91{UvN#-KQwQ|P#ZE2Q>5MYMiN-)I} z)}Otghc}SnOq|HpE=69N%5(s@Bc?w>f0^UtR(mpc6IKvN)wmbze|?*ZeQK39rs`a- z%&H>TlQ(stV&${CU3i>ylgP|8j^QKZP<1mF0I?zT3vb9-AmxyiP>w-~#&&jUTW^=F7%5{ z>~H-WGlQnx|4Yti4;{A0`KbvvSGPxO8#}WH=JA<$(?+qfOrQrXAr(*+dLG&0jxXGk zgJNW((R#D8Af0BuntpC_H1mNG42sBqoDyW0iZq_}V}+)oRVWE6c}=Cz{@Gjt=LHvUfN0|CF9$6zG;AU_v-1`abqgAY5Fq(i2YMUV^uV>e?^1aU@UBuV9RBv750H#C`8WP?`*b4^6`Qvla zCfU{Qf9x}I;xe;OCRx+>eGtHCMMUymNA}%~0#liS?nW1rhh?|kPwzQvN-OyK;% zr+sRT(HXGs*w}K+Z_e%5*g4~McD}mjb=It@G+J(fZnaI_(JmVrIlBkOo~#)~RtDA( z8}YSHwTNy_3OZMGlwVng@_9lXuB~JF);d}TbJsfLTY0w(3i&1!z}Mif+PTRybw}HR zu6-oh@m7x9y42KxE<|wx`&x_kV7+)Q9+z=%BVe5=r2V?Qk$=U6@yF{-@?RJH+#hV- z8I++`L8u%ET$&|c%k32v8W?7Nb5Vvv1bQRFZHwiHUO$ZE{A`G`Cu|`#)foJdO_kvR zOI*$=3D+rOlzgM#&@|2@KdwRE>OWOS?~vOd%jG3fC8ZJB zf&nPnR+xX+y0=~-um_^Hd@7{A>249UaCIgIoEfyV<^MqC^#SMqV7$*V{=;OdsiR#7 zZ6(3{a*o0i&C^qWD+-1CEfTS~B%Wj%D#%7=NbwFQ&@+WmuB$6vZ4SYcJk;*@BNpn6 zk4b~n`%9LpVk@NXa?>=SjY)|lLba1sS^(5C=?K;uDGvS~GmVdWRZSs2$Wa@O^_vIu zWYZYU6@;wOSL$NUroL|_+}tiDYg9i)q|PrHT@X?#_4G&eiRS*B?4B6|3`?l)&>HLq zgb0nT4BcoZ8N|gd)GDT@9>Vda(Sf@_2Y5P`>H4kPIQ4R=CS8sBQHpG2{DbF`1%Q!( z!vS%ghS=WbPrVVXS@6eG&0V6Ggrsg?B$!+)xu7iqWJijB35d}Y*hMrGAutwO!TRTp zTJ^=*BkX)?O~rV@QMm2Rt}q}se3%^?`kRLRji{LHJJMfX9C4nOZTK7vv!x`eG*{V+ z78}|6nto-JD*J(?{FRi*grcGT?Z8+|bA?B0A04e7r!zX=@7TbA^Car;CO_t9eH@5T z*62o^@Ug9w2UPSenPU4#>?mkvmqe0yL!bz^&F--93Bo-jTD+^$oNL`UF^ljR=^fbv zS)ZI}9J=%gIqYk`5cWRxKhUuhN-=y}fW-}oUj=$NkxKDtSf9cMGn@7G_yG|Ay0_$( zQeJ;BrI{f%qI?kryb{(iJAzOeg@G|{eM>0JQ6ZaioA{%sL=PeV{y>SQ@Wpb&crT!uCFgC#cu#_VdM4JW zWl53k`X{~s-}z7c)}!O)Oyj-gr;Q;+Hn;Gg>e*O_j$6vY5`4(x5@5VnzHhQAO>v%^ z5kx-!oNzPy=Y4K+bjaxPYA!F&UWFI+Kg_Pf0Wnb>%kt2L2Tk8&qnBS~?Mcd*kl@cd zA1NdpTZZ6xNeNMkcaraqj9}CkT`J(2R5aAPSs4ahGFE`KN2I5Z9oOTG9wWm0TM)g~ zIl;5Hhwh#si5OWY>MSYcEFFfz2X4jHb1Z5Q_o}GFq9mX60*#S>^ zpqZnmUoxoX4r|uv{W-zg7*%GZh_5dP%Uw$(^X_oJAbetg{n~bB{n=J?^wqu3Dp^0O zZ^T5&f5!#0F!;-#IA$(>st-HaTh6e5O`e}xSL^M&L^^)K9`2ePx6daRBRo8wy?t}k zdVjj9|29A_IJMAejXD~7RKN%B!dsDreV-w5_BUzsd719Iu~Gmhe$N94dA@YUWr|KV z7Ffh@B@12xa`-+vtHM-v1<72hmZKJ5uBBpxKjEtW9MHtRio^9`ge|x(99BBOj`STc zE^tZub-K%N;nPP-dJ{nx=WF?J3!r>%+mFaTPGdc_pK=w@Bo6Pq62X8D3%%X!Z?xKS ziS&hFIO44;74tT$nSt+h@n7(0TZMRu;hm!PyE%^mful&uX{v6^-m-);WSj6F=qp@E z~XiRreiJS9#G0!e#7h@n_$xbxA z9=TGFfAK`Lc}&BgYC_;fhKwNvrXW-uF%$wV9tny1|3=87#xJu=7F43#o9A((Y%s~Vs^Zy_{}bf1~0#>X3p@8uD_)n;A&}ul)^7( zmU?gJl%u5Uf|Vp#OiS8@3o(f~?bc21ylTgXplJ{_I3)*)ev2y;YZ&Rmn&SG8V{3pr z4NHKbVLJX<5g(G-Req_eZmA0Gi=!6xPZtS1`#eR3*&LHz2z z0MWJEamQWNb$MSyJxiV<&Zq+|&-<&+I`xC3+GTx z)E$LlzZ3%hPg5=;h6bDE2kaMD2+6O(+zz^$uvpZb{MG4CV^L9FdJza2s#j|>7CRF+<*S*^#uUS0w}{`}s(7sz-8bWo3vU8bX}BKT77zzM_rBw3`$*37OrVTb zr8T#0X*4>Jsax;Pd7c*sb`zp2VX9o38f~dL+TgC)0_@#6QF}r{gaMkKkZP{0^87e^ zDzt)1X@nxo+~U{SQ?3WrF7l*a7JvNxleyZVb|0O*1r0WhSX2|SyB!n+3?yj-Tww&C zXDVmJ(Db>uDSim5dR*3fe=`2#ICo<0q6`0Z-5YM|5Wf1jb_i&UoPD&(f~eOMK4iV@u2 zku02eL!G5DK8=}hZLjkva;Xsd*4|ZO!YRYAJh>$4%iLqfSq-maWUEk&cKdeF`;q`v z)>3UhD)n|FIX=gi)9Wk_N>6xy_ZS)9rvJTdfDtQem5Fiaeo0a|6sGT`1*A-Xxxz*Jb+?{!97|0Nd%iOY@huOScq}71;?L&OnZryoD?ZH9brd z{_9N{S0QNZBYX(zm!C1OFZWM^$nAcey3(qTT^J9dzg@=R1z&pUs!cMlOc)iaV;$FXH;XM70pe)T zIW`%$ctJ03gOua=CkFE)S60sM9IWp(&1#ASs9=pG1HNf_k?r<>tEPD!Vua|)3}2dF zQ>pg$)zRUAZMMO;2lwkQPJcQ7t(^rJ)0gU@l=wvZ7S%I)Ol_G4g13!OwmEEY)n zt~8lXk2=4;MBKTy7BYJa*+@g=j;sF~^4;3e9k#8U$GjdWZ>)K5)!tBGC- zr=BE`X&5;DYY-YzLqef-?ZM;}I;_^s*e9hCw7Gm5QeT-J_bzKY0Th`^Rz3ppF;cB5c4;T~V^^}>n@J4^tOZdPuRdqZF*>Ln4?xivbf_Z;~ rQ&WV2#RdI8pGK(#O#Ed3pY`yc`v8Igk^dL#Q}39l5q~oNZ{>dgxI`hH diff --git a/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json index 7d33d0919f..17a4d1529d 100644 --- a/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json index e96866e697..8f39cc7b44 100644 --- a/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json @@ -73,7 +73,7 @@ }, "properties": { "description": "Network Threat Protection Essentials Hunting Query 1 with template", - "displayName": "Network Threat Protection Essentials Hunting Query template" + "displayName": "Network Threat Protection Essentials HQ template" } }, { @@ -165,7 +165,7 @@ }, "properties": { "description": "Network Threat Protection Essentials Hunting Query 2 with template", - "displayName": "Network Threat Protection Essentials Hunting Query template" + "displayName": "Network Threat Protection Essentials HQ template" } }, { @@ -257,7 +257,7 @@ }, "properties": { "description": "Network Threat Protection Essentials Hunting Query 3 with template", - "displayName": "Network Threat Protection Essentials Hunting Query template" + "displayName": "Network Threat Protection Essentials HQ template" } }, { @@ -349,7 +349,7 @@ }, "properties": { "description": "Network Threat Protection Essentials Analytics Rule 1 with template", - "displayName": "Network Threat Protection Essentials Analytics Rule template" + "displayName": "Network Threat Protection Essentials AR template" } }, { @@ -502,7 +502,7 @@ }, "properties": { "description": "Network Threat Protection Essentials Analytics Rule 2 with template", - "displayName": "Network Threat Protection Essentials Analytics Rule template" + "displayName": "Network Threat Protection Essentials AR template" } }, { @@ -674,6 +674,56 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRulecontentId2')]", "version": "[variables('analyticRuleVersion2')]" + }, + { + "criteria": [ + { + "contentId": "azuresentinel.azure-sentinel-solution-office365", + "kind": "Solution", + "version": "2.0.0" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-dns", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "sentinel4azurefirewall.sentinel4azurefirewall", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents", + "kind": "Solution", + "version": "2.0.0" + }, + { + "contentId": "zscaler1579058425289.zscaler_internet_access_mss", + "kind": "Solution", + "version": "2.0.1" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos", + "kind": "Solution", + "version": "1.0.5" + }, + { + "contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", + "kind": "Solution", + "version": "1.0.5" + }, + { + "contentId": "checkpoint.checkpoint-sentinel-solutions", + "kind": "Solution", + "version": "1.0.0" + } + ], + "Operator": "OR" } ] }, diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/DetectionsMigrated.json b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/DetectionsMigrated.json index 9c504d103d..737e7bbab2 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/DetectionsMigrated.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/DetectionsMigrated.json @@ -743,24 +743,6 @@ "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/", "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Analytic%20Rules" }, - { - "FileName": "Malicious_Inbox_Rule.yaml.yaml", - "DetectionId": "7b907bf7-77d4-41d0-a208-5643ff75bf9a", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules" - }, - { - "FileName": "Office_MailForwarding.yaml", - "DetectionId": "871ba14c-88ef-48aa-ad38-810f26760ca3", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules" - }, - { - "FileName": "office_policytampering.yaml", - "DetectionId": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Analytic%20Rules" - }, { "FileName": "AdFind_Usage.yaml", "DetectionId": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd", diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json index 35f338c301..107f93ba60 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json @@ -593,12 +593,6 @@ "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AWSCloudTrail/", "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/Hunting%20Queries/" }, - { - "FileName": "Anomalous_Listing_Of_Storage_Keys.yaml", - "DetectionId": "5d2399f9-ea5c-4e67-9435-1fba745f3a39", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/" - }, { "FileName": "AzureKeyVaultAccessManipulation.yaml", "DetectionId": "8eff7055-9138-4edc-b8f0-48ea27e23c3c", @@ -611,24 +605,6 @@ "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/", "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/" }, - { - "FileName": "Creating_Anomalous_Number_Of_Resources.yaml", - "DetectionId": "a09e6368-065b-4f1e-a4ce-b1b3a64b493b", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/" - }, - { - "FileName": "Mail_redirect_via_ExO_transport_rule_hunting.yaml", - "DetectionId": "9891684a-1e3a-4546-9403-3439513cbc70", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/" - }, - { - "FileName": "OfficeMailForwarding_hunting.yaml", - "DetectionId": "d49fc965-aef3-49f6-89ad-10cc4697eb5b", - "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloud%20Service%20Threat%20Protection%20Essentials/Hunting%20Queries/" - }, { "FileName": "CobaltDNSBeacon.yaml", "DetectionId": "dde206fc-3f0b-4175-bb5d-42d2aae9d4c9",