Couple additional fixes

2021-02-01 08:22:36 -08:00 · 2021-02-01 08:22:36 -08:00 · 3d0da41011
--- a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
+++ b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
@ -36,7 +36,7 @@ query:  |
  | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),
  (DeviceEvents
-  | where ActionType =~ "LdapSearch"
+  | where ActionType =~ "LdapSearch"
  | where AdditionalFields.AttributeList contains "thumbnailPhoto"
  | where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
  | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)
--- a/Detections/ZoomLogs/E2EEDisbaled.yaml
+++ b/Detections/ZoomLogs/E2EEDisbaled.yaml
@ -19,8 +19,8 @@ query: |
  ZoomLogs
  | where TimeGenerated >= ago(timeframe)
  | where Event =~ "account.settings_updated"
-  | extend OldE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
-  | extend NewE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
+  | extend OldE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
+  | extend NewE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
  | where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
  | extend timestamp = TimeGenerated, AccountCustomEntity = User
 entityMappings:
--- a/Queries/MultipleDataSources/FireEyeRedTeamComms.yaml
+++ b/Queries/MultipleDataSources/FireEyeRedTeamComms.yaml
--- a/Queries/QUERY_TEMPLATE.md
+++ b/Queries/QUERY_TEMPLATE.md
@ -35,7 +35,7 @@
 				InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
 				processEvents;
 				};
-				// Daily summary of cscript activity – extracting script name and parameters from commandline:
+				// Daily summary of cscript activity - extracting script name and parameters from commandline:
 				ProcessCreationEvents | where FileName =~ "cscript.exe"
 				| project removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", ProcessCommandLine) // remove commandline switches
 				| project CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches) // remove the leading cscript.exe process name 
--- a/Parsers/AwsS3BucketAPILogsParser.txt
+++ b/Parsers/AwsS3BucketAPILogsParser.txt
@ -67,15 +67,15 @@ SecurityGroupIdSetItems=Records_requestParameters_securityGroupIdSet_items_s, Se
 SessionIssuerArn=Records_userIdentity_sessionContext_sessionIssuer_arn_s, SessionIssuerPrincipalId=Records_userIdentity_sessionContext_sessionIssuer_principalId_s, SessionIssuerype=Records_userIdentity_sessionContext_sessionIssuer_type_s, 
 SessionMfaAuthenticated=Records_userIdentity_sessionContext_attributes_mfaAuthenticated_s, SessionUserName=Records_userIdentity_sessionContext_sessionIssuer_userName_s, SharedEventID=Records_sharedEventID_g, SignatureVersion=Records_additionalEventData_SignatureVersion_s, 
 SortCriteriaAttributeName=Records_requestParameters_sortCriteria_attributeName_s, SortCriteriaOrderBy=Records_requestParameters_sortCriteria_orderBy_s, SourceIPAddress=Records_sourceIPAddress_s, SSEApplied=Records_additionalEventData_SSEApplied_s, 
-StartTime=Records_requestParameters_startTime_s, SubnetAssignIpv6AddressOnCreation =Records_responseElements_subnet_assignIpv6AddressOnCreation_b, SubnetAvailabilityZone =Records_responseElements_subnet_availabilityZone_s, 
-SubnetAvailabilityZoneId =Records_responseElements_subnet_availabilityZoneId_s, SubnetAvailableIpAddressCount =Records_responseElements_subnet_availableIpAddressCount_d, SubnetCidrBlock =Records_responseElements_subnet_cidrBlock_s, 
-SubnetDefaultForAz =Records_responseElements_subnet_defaultForAz_b, SubnetId=Records_requestParameters_subnetId_s, SubnetmapPublicIpOnLaunch =Records_responseElements_subnet_mapPublicIpOnLaunch_b, SubnetOwnerId =Records_responseElements_subnet_ownerId_s, 
-SubnetSetItems=Records_requestParameters_subnetSet_items_s, SubnetState =Records_responseElements_subnet_state_s, SubnetSubnetArn =Records_responseElements_subnet_subnetArn_s, SubnetsubnetId =Records_responseElements_subnet_subnetId_s, 
-SubnetvpcId =Records_responseElements_subnet_vpcId_s, Tagging=Records_requestParameters_tagging_s, TaggingTagSetTag=Records_requestParameters_Tagging_TagSet_Tag_s, TaggingXmlns=Records_requestParameters_Tagging_xmlns_s, Tags=Records_requestParameters_tags_s, 
+StartTime=Records_requestParameters_startTime_s, SubnetAssignIpv6AddressOnCreation =Records_responseElements_subnet_assignIpv6AddressOnCreation_b, SubnetAvailabilityZone =Records_responseElements_subnet_availabilityZone_s, 
+SubnetAvailabilityZoneId =Records_responseElements_subnet_availabilityZoneId_s, SubnetAvailableIpAddressCount =Records_responseElements_subnet_availableIpAddressCount_d, SubnetCidrBlock =Records_responseElements_subnet_cidrBlock_s, 
+SubnetDefaultForAz =Records_responseElements_subnet_defaultForAz_b, SubnetId=Records_requestParameters_subnetId_s, SubnetmapPublicIpOnLaunch =Records_responseElements_subnet_mapPublicIpOnLaunch_b, SubnetOwnerId =Records_responseElements_subnet_ownerId_s, 
+SubnetSetItems=Records_requestParameters_subnetSet_items_s, SubnetState =Records_responseElements_subnet_state_s, SubnetSubnetArn =Records_responseElements_subnet_subnetArn_s, SubnetsubnetId =Records_responseElements_subnet_subnetId_s, 
+SubnetvpcId =Records_responseElements_subnet_vpcId_s, Tagging=Records_requestParameters_tagging_s, TaggingTagSetTag=Records_requestParameters_Tagging_TagSet_Tag_s, TaggingXmlns=Records_requestParameters_Tagging_xmlns_s, Tags=Records_requestParameters_tags_s, 
 TagSetItems=Records_requestParameters_tagSet_items_s, TagSpecificationSetItems=Records_requestParameters_tagSpecificationSet_items_s, TrailName=Records_requestParameters_trailName_s, TrailNameList=Records_requestParameters_trailNameList_s, 
 UserAgent=Records_userAgent_s, UserArn=Records_responseElements_user_arn_s, UserCreateDate=Records_responseElements_user_createDate_s, UserData=Records_requestParameters_userData_s, UserId=Records_responseElements_userId_s, UserIdentityAccessKeyId=Records_userIdentity_accessKeyId_s, 
 UserIdentityAccountId=Records_userIdentity_accountId_s, UserIdentityArn=Records_userIdentity_arn_s, UserIdentityInvokedBy=Records_userIdentity_invokedBy_s, UserIdentityPrincipalId=Records_userIdentity_principalId_s, UserIdentityType=Records_userIdentity_type_s, 
-UserIdentityUserName=Records_userIdentity_userName_s, UserNameRequestParameter=Records_requestParameters_userName_s, UserPath=Records_responseElements_user_path_s, UserUserId=Records_responseElements_user_userId_s, UserNameResponseElement =Records_responseElements_user_userName_s, 
+UserIdentityUserName=Records_userIdentity_userName_s, UserNameRequestParameter=Records_requestParameters_userName_s, UserPath=Records_responseElements_user_path_s, UserUserId=Records_responseElements_user_userId_s, UserNameResponseElement =Records_responseElements_user_userName_s, 
 VersionId=Records_requestParameters_versionId_s, Versioning=Records_requestParameters_versioning_s, VolumeSetItems=Records_requestParameters_volumeSet_items_s, VpcCidrBlock=Records_responseElements_vpc_cidrBlock_s, 
 VpcCidrBlockAssociationSetItems=Records_responseElements_vpc_cidrBlockAssociationSet_items_s, VpcDhcpOptionsId=Records_responseElements_vpc_dhcpOptionsId_s, VpcEndpointIdAdditionalEventData=Records_additionalEventData_vpcEndpointId_s, VpcEndpointId=Records_vpcEndpointId_s, 
 VpcId=Records_requestParameters_vpcId_s, VpcInstanceTenancy=Records_responseElements_vpc_instanceTenancy_s, VpcIsDefault=Records_responseElements_vpc_isDefault_b, VpcOwnerId=Records_responseElements_vpc_ownerId_s, VpcSetItem=Records_requestParameters_vpcSet_item_s, 
--- a/Parsers/CiscoMeraki/CiscoMeraki.txt
+++ b/Parsers/CiscoMeraki/CiscoMeraki.txt
@ -25,7 +25,7 @@
 // 1374543986.038687615 MX84 flows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all
 // 1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80
 // 1380664994.337961231 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='true'
-// 1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=192.168.111.254:56240 signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150 dst=188.40.238.250:80 mac=98:5A:EB:E1:81:2F name='EICAR:EICAR_Test_file_not_a_virus-tpd'// 1563249630.774247467 remote_DC1_appliance security_event ids_alerted signature=1:41944:2 priority=1 timestamp=TIMESTAMPEPOCH.647461 dhost=74:86:7A:D9:D7:AA direction=ingress protocol=tcp/ip src=23.6.199.123:80 dst=10.1.10.51:56938 message: BROWSER-IE Microsoft Edge scripting engine security bypass css attempt
+// 1377448470.246576346 MX84 ids-alerts signature=119:15:1 priority=2 timestamp=1377448470.238064 direction=egress protocol=tcp/ip src=192.168.111.254:56240 signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150 dst=188.40.238.250:80 mac=98:5A:EB:E1:81:2F name='EICAR:EICAR_Test_file_not_a_virus-tpd'// 1563249630.774247467 remote_DC1_appliance security_event ids_alerted signature=1:41944:2 priority=1 timestamp=TIMESTAMPEPOCH.647461 dhost=74:86:7A:D9:D7:AA direction=ingress protocol=tcp/ip src=23.6.199.123:80 dst=10.1.10.51:56938 message: BROWSER-IE Microsoft Edge scripting engine security bypass css attempt
 // 1380653443.857790533 MR18 events type=device_packet_flood radio='0' state='end' alarm_id='4' reason='left_channel' airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'
 // 1380653443.857790533 MS220_8P events type=8021x_eap_success port='' identity='employee@ikarem.com'
 //