Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' of https://github.com/niralishah-crest/Azure-Sentinel into TeamCymruScout

This commit is contained in:
niralishah-crest 2024-09-25 19:09:32 +05:30
Родитель e85aa4f696 6bdfd518b2
Коммит 3e1766dc1e
374 изменённых файлов: 70829 добавлений и 5132 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

53
.script/tests/KqlvalidationsTests/CustomTables/Failed_Range_To_Ingest_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "Failed_Range_To_Ingest_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "From_Date_s",
"Type": "string"
},
{
"Name": "To_Date_s",
"Type": "string"
},
{
"Name": "Threat_Type_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

253
.script/tests/KqlvalidationsTests/CustomTables/Host_Name_Info_CL.json Normal file
Просмотреть файл

@ -0,0 +1,253 @@
{
"Name": "Host_Name_Info_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "configs_s",
"Type": "string"
},
{
"Name": "created_at_t",
"Type": "datetime"
},
{
"Name": "display_name_s",
"Type": "string"
},
{
"Name": "host_type_s",
"Type": "string"
},
{
"Name": "id_s",
"Type": "string"
},
{
"Name": "legacy_id_s",
"Type": "string"
},
{
"Name": "maintenance_mode_s",
"Type": "string"
},
{
"Name": "pool_id_s",
"Type": "string"
},
{
"Name": "timezone_s",
"Type": "string"
},
{
"Name": "updated_at_t",
"Type": "datetime"
},
{
"Name": "ip_address_s",
"Type": "string"
},
{
"Name": "mac_address_s",
"Type": "string"
},
{
"Name": "ophid_g",
"Type": "string"
},
{
"Name": "tags_host_bundled_k3s_s",
"Type": "string"
},
{
"Name": "tags_host_deployment_type_s",
"Type": "string"
},
{
"Name": "tags_host_geoip2_latitude_s",
"Type": "string"
},
{
"Name": "tags_host_geoip2_longitude_s",
"Type": "string"
},
{
"Name": "tags_host_host_ip_s",
"Type": "string"
},
{
"Name": "tags_host_ipv6_enabled_s",
"Type": "string"
},
{
"Name": "tags_host_k8s_s",
"Type": "string"
},
{
"Name": "tags_host_k8s_installed_s",
"Type": "string"
},
{
"Name": "tags_host_nat_ip_s",
"Type": "string"
},
{
"Name": "tags_host_ophid_g",
"Type": "string"
},
{
"Name": "tags_host_os_version_s",
"Type": "string"
},
{
"Name": "host_subtype_s",
"Type": "string"
},
{
"Name": "host_version_s",
"Type": "string"
},
{
"Name": "tags_host_boot_mode_s",
"Type": "string"
},
{
"Name": "tags_host_build_version_s",
"Type": "string"
},
{
"Name": "tags_host_container_runtime_version_s",
"Type": "string"
},
{
"Name": "tags_host_host_subtype_s",
"Type": "string"
},
{
"Name": "tags_host_kernel_version_s",
"Type": "string"
},
{
"Name": "tags_host_ovs_s",
"Type": "string"
},
{
"Name": "tags_host_serial_number_s",
"Type": "string"
},
{
"Name": "tags_host_virtualization_s",
"Type": "string"
},
{
"Name": "serial_number_g",
"Type": "string"
},
{
"Name": "tags_host_cpu_s",
"Type": "string"
},
{
"Name": "tags_host_federation_s",
"Type": "string"
},
{
"Name": "tags_host_grid_name_s",
"Type": "string"
},
{
"Name": "tags_host_gridmaster_ip_s",
"Type": "string"
},
{
"Name": "tags_host_ha_pair_s",
"Type": "string"
},
{
"Name": "tags_host_ha_status_s",
"Type": "string"
},
{
"Name": "tags_host_hardware_id_g",
"Type": "string"
},
{
"Name": "tags_host_heka_optin_s",
"Type": "string"
},
{
"Name": "tags_host_host_name_s",
"Type": "string"
},
{
"Name": "tags_host_hw_s",
"Type": "string"
},
{
"Name": "tags_host_license_uid_g",
"Type": "string"
},
{
"Name": "tags_host_model_no_s",
"Type": "string"
},
{
"Name": "tags_host_nios_role_s",
"Type": "string"
},
{
"Name": "tags_host_nios_version_s",
"Type": "string"
},
{
"Name": "tags_host_physical_oid_s",
"Type": "string"
},
{
"Name": "tags_host_serial_number_g",
"Type": "string"
},
{
"Name": "tags_host_virtual_oid_s",
"Type": "string"
},
{
"Name": "tags_host_virtualnode_ip_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

309
.script/tests/KqlvalidationsTests/CustomTables/IP_Space_Info_CL.json Normal file
Просмотреть файл

@ -0,0 +1,309 @@
{
"Name": "IP_Space_Info_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "asm_config_asm_threshold_d",
"Type": "real"
},
{
"Name": "asm_config_enable_b",
"Type": "bool"
},
{
"Name": "asm_config_enable_notification_b",
"Type": "bool"
},
{
"Name": "asm_config_forecast_period_d",
"Type": "real"
},
{
"Name": "asm_config_growth_factor_d",
"Type": "real"
},
{
"Name": "asm_config_growth_type_s",
"Type": "string"
},
{
"Name": "asm_config_history_d",
"Type": "real"
},
{
"Name": "asm_config_min_total_d",
"Type": "real"
},
{
"Name": "asm_config_min_unused_d",
"Type": "real"
},
{
"Name": "asm_config_reenable_date_t",
"Type": "datetime"
},
{
"Name": "asm_scope_flag_d",
"Type": "real"
},
{
"Name": "comment_s",
"Type": "string"
},
{
"Name": "compartment_id_s",
"Type": "string"
},
{
"Name": "created_at_t",
"Type": "datetime"
},
{
"Name": "ddns_client_update_s",
"Type": "string"
},
{
"Name": "ddns_conflict_resolution_mode_s",
"Type": "string"
},
{
"Name": "ddns_domain_s",
"Type": "string"
},
{
"Name": "ddns_generate_name_b",
"Type": "bool"
},
{
"Name": "ddns_generated_prefix_s",
"Type": "string"
},
{
"Name": "ddns_send_updates_b",
"Type": "bool"
},
{
"Name": "ddns_ttl_percent_d",
"Type": "real"
},
{
"Name": "ddns_update_on_renew_b",
"Type": "bool"
},
{
"Name": "ddns_use_conflict_resolution_b",
"Type": "bool"
},
{
"Name": "default_realms_s",
"Type": "string"
},
{
"Name": "dhcp_config_abandoned_reclaim_time_d",
"Type": "real"
},
{
"Name": "dhcp_config_abandoned_reclaim_time_v6_d",
"Type": "real"
},
{
"Name": "dhcp_config_allow_unknown_b",
"Type": "bool"
},
{
"Name": "dhcp_config_allow_unknown_v6_b",
"Type": "bool"
},
{
"Name": "dhcp_config_echo_client_id_b",
"Type": "bool"
},
{
"Name": "dhcp_config_filters_s",
"Type": "string"
},
{
"Name": "dhcp_config_filters_large_selection_s",
"Type": "string"
},
{
"Name": "dhcp_config_filters_v6_s",
"Type": "string"
},
{
"Name": "dhcp_config_ignore_client_uid_b",
"Type": "bool"
},
{
"Name": "dhcp_config_ignore_list_s",
"Type": "string"
},
{
"Name": "dhcp_config_lease_time_d",
"Type": "real"
},
{
"Name": "dhcp_config_lease_time_v6_d",
"Type": "real"
},
{
"Name": "dhcp_options_s",
"Type": "string"
},
{
"Name": "dhcp_options_v6_s",
"Type": "string"
},
{
"Name": "header_option_filename_s",
"Type": "string"
},
{
"Name": "header_option_server_address_s",
"Type": "string"
},
{
"Name": "header_option_server_name_s",
"Type": "string"
},
{
"Name": "hostname_rewrite_char_s",
"Type": "string"
},
{
"Name": "hostname_rewrite_enabled_b",
"Type": "bool"
},
{
"Name": "hostname_rewrite_regex_s",
"Type": "string"
},
{
"Name": "id_s",
"Type": "string"
},
{
"Name": "name_s",
"Type": "string"
},
{
"Name": "threshold_enabled_b",
"Type": "bool"
},
{
"Name": "threshold_high_d",
"Type": "real"
},
{
"Name": "threshold_low_d",
"Type": "real"
},
{
"Name": "updated_at_t",
"Type": "datetime"
},
{
"Name": "utilization_abandon_utilization_d",
"Type": "real"
},
{
"Name": "utilization_abandoned_s",
"Type": "string"
},
{
"Name": "utilization_dynamic_s",
"Type": "string"
},
{
"Name": "utilization_free_s",
"Type": "string"
},
{
"Name": "utilization_static_s",
"Type": "string"
},
{
"Name": "utilization_total_s",
"Type": "string"
},
{
"Name": "utilization_used_s",
"Type": "string"
},
{
"Name": "utilization_utilization_d",
"Type": "real"
},
{
"Name": "utilization_v6_abandoned_s",
"Type": "string"
},
{
"Name": "utilization_v6_dynamic_s",
"Type": "string"
},
{
"Name": "utilization_v6_static_s",
"Type": "string"
},
{
"Name": "utilization_v6_total_s",
"Type": "string"
},
{
"Name": "utilization_v6_used_s",
"Type": "string"
},
{
"Name": "tags_nios_federation_enabled_s",
"Type": "string"
},
{
"Name": "tags_nios_grid_name_s",
"Type": "string"
},
{
"Name": "tags_nios_import_timestamp_t",
"Type": "datetime"
},
{
"Name": "tags_nios_imported_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insight_Details_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "Infoblox_Config_Insight_Details_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "analyticInsightId_g",
"Type": "string"
},
{
"Name": "insightType_s",
"Type": "string"
},
{
"Name": "feeds_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

49
.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insights_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"Name": "Infoblox_Config_Insights_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "policyAnalyticsId_g",
"Type": "string"
},
{
"Name": "insightType_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

97
.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Failed_Indicators_CL.json Normal file
Просмотреть файл

@ -0,0 +1,97 @@
{
"Name": "Infoblox_Failed_Indicators_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "name_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "spec_version_s",
"Type": "string"
},
{
"Name": "id_s",
"Type": "string"
},
{
"Name": "created_t",
"Type": "datetime"
},
{
"Name": "modified_t",
"Type": "datetime"
},
{
"Name": "revoked_b",
"Type": "bool"
},
{
"Name": "labels_s",
"Type": "string"
},
{
"Name": "description_s",
"Type": "string"
},
{
"Name": "indicator_types_s",
"Type": "string"
},
{
"Name": "pattern_s",
"Type": "string"
},
{
"Name": "pattern_version_s",
"Type": "string"
},
{
"Name": "valid_from_t",
"Type": "datetime"
},
{
"Name": "valid_until_t",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

81
.script/tests/KqlvalidationsTests/CustomTables/Service_Name_Info_CL.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"Name": "Service_Name_Info_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "configs_s",
"Type": "string"
},
{
"Name": "created_at_t",
"Type": "datetime"
},
{
"Name": "desired_state_s",
"Type": "string"
},
{
"Name": "destinations_s",
"Type": "string"
},
{
"Name": "id_s",
"Type": "string"
},
{
"Name": "name_s",
"Type": "string"
},
{
"Name": "pool_id_s",
"Type": "string"
},
{
"Name": "service_type_s",
"Type": "string"
},
{
"Name": "source_interfaces_s",
"Type": "string"
},
{
"Name": "updated_at_t",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

97
.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_CL.json Normal file
Просмотреть файл

@ -0,0 +1,97 @@
{
"Name": "dossier_atp_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "data_attack_chain_collection_s",
"Type": "string"
},
{
"Name": "data_attack_chain_credential_access_s",
"Type": "string"
},
{
"Name": "data_attack_chain_defense_evasion_s",
"Type": "string"
},
{
"Name": "data_attack_chain_execution_s",
"Type": "string"
},
{
"Name": "data_attack_chain_initial_access_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_record_count_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

237
.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_threat_CL.json Normal file
Просмотреть файл

@ -0,0 +1,237 @@
{
"Name": "dossier_atp_threat_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "extended_registration_date_s",
"Type": "string"
},
{
"Name": "ip_s",
"Type": "string"
},
{
"Name": "target_s",
"Type": "string"
},
{
"Name": "email_s",
"Type": "string"
},
{
"Name": "extended_extended_s",
"Type": "string"
},
{
"Name": "extended_url_hash_g",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "extended_no_whitelist_s",
"Type": "string"
},
{
"Name": "extended_protocol_s",
"Type": "string"
},
{
"Name": "extended_email_id_s",
"Type": "string"
},
{
"Name": "extended_processor_s",
"Type": "string"
},
{
"Name": "extended_provider_s",
"Type": "string"
},
{
"Name": "extended_submitter_s",
"Type": "string"
},
{
"Name": "full_origin_s",
"Type": "string"
},
{
"Name": "extended_from_email_s",
"Type": "string"
},
{
"Name": "extended_subject_line_s",
"Type": "string"
},
{
"Name": "extended_references_s",
"Type": "string"
},
{
"Name": "up_s",
"Type": "string"
},
{
"Name": "extended_attack_chain_s",
"Type": "string"
},
{
"Name": "extended_reason_s",
"Type": "string"
},
{
"Name": "batch_id_g",
"Type": "string"
},
{
"Name": "class_s",
"Type": "string"
},
{
"Name": "confidence_d",
"Type": "real"
},
{
"Name": "confidence_score_d",
"Type": "real"
},
{
"Name": "confidence_score_rating_s",
"Type": "string"
},
{
"Name": "confidence_score_vector_s",
"Type": "string"
},
{
"Name": "detected_t",
"Type": "datetime"
},
{
"Name": "dga_s",
"Type": "string"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "expiration_t",
"Type": "datetime"
},
{
"Name": "extended_cyberint_guid_g",
"Type": "string"
},
{
"Name": "extended_notes_s",
"Type": "string"
},
{
"Name": "full_profile_s",
"Type": "string"
},
{
"Name": "host_s",
"Type": "string"
},
{
"Name": "id_g",
"Type": "string"
},
{
"Name": "imported_t",
"Type": "datetime"
},
{
"Name": "profile_s",
"Type": "string"
},
{
"Name": "property_s",
"Type": "string"
},
{
"Name": "received_t",
"Type": "datetime"
},
{
"Name": "risk_score_d",
"Type": "real"
},
{
"Name": "risk_score_rating_s",
"Type": "string"
},
{
"Name": "risk_score_vector_s",
"Type": "string"
},
{
"Name": "threat_level_d",
"Type": "real"
},
{
"Name": "threat_score_d",
"Type": "real"
},
{
"Name": "threat_score_rating_s",
"Type": "string"
},
{
"Name": "threat_score_vector_s",
"Type": "string"
},
{
"Name": "tld_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

121
.script/tests/KqlvalidationsTests/CustomTables/dossier_dns_CL.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"Name": "dossier_dns_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_A_s",
"Type": "string"
},
{
"Name": "data_AAAA_s",
"Type": "string"
},
{
"Name": "data_CERT_s",
"Type": "string"
},
{
"Name": "data_CNAME_s",
"Type": "string"
},
{
"Name": "data_HTTPS_s",
"Type": "string"
},
{
"Name": "data_MX_s",
"Type": "string"
},
{
"Name": "data_NS_s",
"Type": "string"
},
{
"Name": "data_SOA_s",
"Type": "string"
},
{
"Name": "data_SVCB_s",
"Type": "string"
},
{
"Name": "data_TSIG_s",
"Type": "string"
},
{
"Name": "data_TXT_s",
"Type": "string"
},
{
"Name": "data_rcode_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

121
.script/tests/KqlvalidationsTests/CustomTables/dossier_geo_CL.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"Name": "dossier_geo_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "data_info_s",
"Type": "string"
},
{
"Name": "data_reason_s",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_asn_num_s",
"Type": "string"
},
{
"Name": "data_city_s",
"Type": "string"
},
{
"Name": "data_country_code_s",
"Type": "string"
},
{
"Name": "data_country_name_s",
"Type": "string"
},
{
"Name": "data_isp_s",
"Type": "string"
},
{
"Name": "data_latitude_d",
"Type": "real"
},
{
"Name": "data_longitude_d",
"Type": "real"
},
{
"Name": "data_org_s",
"Type": "string"
},
{
"Name": "data_postal_code_s",
"Type": "string"
},
{
"Name": "data_region_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

77
.script/tests/KqlvalidationsTests/CustomTables/dossier_infoblox_web_cat_CL.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"Name": "dossier_infoblox_web_cat_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_results_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

89
.script/tests/KqlvalidationsTests/CustomTables/dossier_inforank_CL.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"Name": "dossier_inforank_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "data_domain_s",
"Type": "string"
},
{
"Name": "data_interval_s",
"Type": "string"
},
{
"Name": "data_rank_d",
"Type": "real"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_message_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

77
.script/tests/KqlvalidationsTests/CustomTables/dossier_malware_analysis_v3_CL.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"Name": "dossier_malware_analysis_v3_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_info_s",
"Type": "string"
},
{
"Name": "data_reason_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "dossier_nameserver_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

81
.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_matches_CL.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"Name": "dossier_nameserver_matches_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "ns_reputation_confidence_s",
"Type": "string"
},
{
"Name": "ns_reputation_label_s",
"Type": "string"
},
{
"Name": "ns_reputation_malicious_counts_s",
"Type": "string"
},
{
"Name": "ns_reputation_popular_s",
"Type": "string"
},
{
"Name": "ns_reputation_rare_s",
"Type": "string"
},
{
"Name": "ns_reputation_raw_score_s",
"Type": "string"
},
{
"Name": "ns_reputation_score_s",
"Type": "string"
},
{
"Name": "ns_reputation_total_counts_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

85
.script/tests/KqlvalidationsTests/CustomTables/dossier_ptr_CL.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"Name": "dossier_ptr_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "data_reason_s",
"Type": "string"
},
{
"Name": "data_status_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_ptr_record_s",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "dossier_rpz_feeds_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_records_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "dossier_rpz_feeds_records_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "class_s",
"Type": "string"
},
{
"Name": "detected_t",
"Type": "datetime"
},
{
"Name": "expiration_t",
"Type": "datetime"
},
{
"Name": "feed_name_s",
"Type": "string"
},
{
"Name": "indicator_s",
"Type": "string"
},
{
"Name": "property_s",
"Type": "string"
},
{
"Name": "threat_level_d",
"Type": "real"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

129
.script/tests/KqlvalidationsTests/CustomTables/dossier_threat_actor_CL.json Normal file
Просмотреть файл

@ -0,0 +1,129 @@
{
"Name": "dossier_threat_actor_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_actor_description_s",
"Type": "string"
},
{
"Name": "data_actor_id_s",
"Type": "string"
},
{
"Name": "data_actor_name_s",
"Type": "string"
},
{
"Name": "data_customer_first_dns_query_s",
"Type": "string"
},
{
"Name": "data_customer_last_dns_query_s",
"Type": "string"
},
{
"Name": "data_display_name_s",
"Type": "string"
},
{
"Name": "data_external_references_s",
"Type": "string"
},
{
"Name": "data_ikb_first_classified_malicious_s",
"Type": "string"
},
{
"Name": "data_ikb_submitted_s",
"Type": "string"
},
{
"Name": "data_infoblox_references_s",
"Type": "string"
},
{
"Name": "data_page_s",
"Type": "string"
},
{
"Name": "data_purpose_s",
"Type": "string"
},
{
"Name": "data_related_count_s",
"Type": "string"
},
{
"Name": "data_ttp_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

77
.script/tests/KqlvalidationsTests/CustomTables/dossier_tld_risk_CL.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"Name": "dossier_tld_risk_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_matches_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

81
.script/tests/KqlvalidationsTests/CustomTables/dossier_whitelist_CL.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"Name": "dossier_whitelist_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_value_s",
"Type": "string"
},
{
"Name": "data_whitelisted_b",
"Type": "bool"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

197
.script/tests/KqlvalidationsTests/CustomTables/dossier_whois_CL.json Normal file
Просмотреть файл

@ -0,0 +1,197 @@
{
"Name": "dossier_whois_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "data_info_s",
"Type": "string"
},
{
"Name": "data_reason_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_country_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_handle_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_last_changed_t",
"Type": "datetime"
},
{
"Name": "data_response_ip_response_name_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_net_range_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_net_type_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_parent_s",
"Type": "string"
},
{
"Name": "data_response_ip_response_registration_t",
"Type": "datetime"
},
{
"Name": "data_response_ip_response_source_registery_s",
"Type": "string"
},
{
"Name": "status_message_for_dossier_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_created_date_t",
"Type": "datetime"
},
{
"Name": "data_response_parsed_whois_domain_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_expired_date_t",
"Type": "datetime"
},
{
"Name": "data_response_parsed_whois_name_servers_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_other_properties_registry_domain_id_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_registrar_abuse_contact_email_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_registrar_abuse_contact_phone_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_registrar_iana_id_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_registrar_name_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_statuses_s",
"Type": "string"
},
{
"Name": "data_response_parsed_whois_updated_date_t",
"Type": "datetime"
},
{
"Name": "data_response_registration_created_t",
"Type": "datetime"
},
{
"Name": "data_response_registration_expires_t",
"Type": "datetime"
},
{
"Name": "data_response_registration_registrar_s",
"Type": "string"
},
{
"Name": "data_response_registration_statuses_s",
"Type": "string"
},
{
"Name": "data_response_registration_updated_t",
"Type": "datetime"
},
{
"Name": "data_response_whois_date_s",
"Type": "string"
},
{
"Name": "data_response_whois_record_s",
"Type": "string"
},
{
"Name": "task_id_g",
"Type": "string"
},
{
"Name": "params_type_s",
"Type": "string"
},
{
"Name": "params_target_s",
"Type": "string"
},
{
"Name": "params_source_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "time_d",
"Type": "real"
},
{
"Name": "v_s",
"Type": "string"
},
{
"Name": "data_response_nameservers_s",
"Type": "string"
},
{
"Name": "data_response_registrant_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

157
.script/tests/KqlvalidationsTests/CustomTables/tide_lookup_data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,157 @@
{
"Name": "tide_lookup_data_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "extended_registration_date_s",
"Type": "string"
},
{
"Name": "extended_ais_consent_s",
"Type": "string"
},
{
"Name": "extended_protocol_s",
"Type": "string"
},
{
"Name": "extended_sample_sha256_s",
"Type": "string"
},
{
"Name": "hash_s",
"Type": "string"
},
{
"Name": "hash_type_s",
"Type": "string"
},
{
"Name": "dga_s",
"Type": "string"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "host_s",
"Type": "string"
},
{
"Name": "tld_s",
"Type": "string"
},
{
"Name": "extended_attack_chain_s",
"Type": "string"
},
{
"Name": "class_s",
"Type": "string"
},
{
"Name": "detected_t",
"Type": "datetime"
},
{
"Name": "expiration_t",
"Type": "datetime"
},
{
"Name": "extended_cyberint_guid_g",
"Type": "string"
},
{
"Name": "id_g",
"Type": "string"
},
{
"Name": "imported_t",
"Type": "datetime"
},
{
"Name": "ip_s",
"Type": "string"
},
{
"Name": "profile_s",
"Type": "string"
},
{
"Name": "property_s",
"Type": "string"
},
{
"Name": "received_t",
"Type": "datetime"
},
{
"Name": "threat_level_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "up_s",
"Type": "string"
},
{
"Name": "confidence_d",
"Type": "real"
},
{
"Name": "extended_notes_s",
"Type": "string"
},
{
"Name": "extended_references_s",
"Type": "string"
},
{
"Name": "extended_no_whitelist_s",
"Type": "string"
},
{
"Name": "extended_reason_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

431
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -3178,7 +3178,438 @@
"id": "ed8a116c-07b4-441c-b74b-395937c264a1",
"templateName": "SymantecVIP.yaml",
"validationFailReason": "Missing column name from custom table 'CollectorHostName' which is already added to the Custom table "
},
{
"id": "518e6938-10ef-4165-af19-82f1287141bc",
"templateName": "ATP policy status check.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b6392f39-a1f4-4ec8-8689-4cb9d28c295a",
"templateName": "JNLP attachment.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "16eda414-1550-4cdc-8512-0769901d3f05",
"templateName": "Safe attachment detection.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422",
"templateName": "Authentication failures.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "5971f2e7-1bb2-4170-aa7a-577ed8a45c72",
"templateName": "Spoof attempts with auth failure.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "ba1a91ad-1f99-4386-b191-06a76ef213f8",
"templateName": "Audit Email Preview-Download action.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "bc2d8214-afb6-4876-b210-25b69325b9b2",
"templateName": "Hunt for TABL changes.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "712ffdd8-ddce-4372-85dd-063029b418cf",
"templateName": "Local time to UTC time conversion.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "deb4b2c6-c10e-4044-8cf4-84243e40db73",
"templateName": "MDO daily detection summary report.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "81ede5df-2ec3-40a5-9dff-1fe6a841079d",
"templateName": "Mail item accessed.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "63c799bc-7567-4e4d-97be-e143fcfaa333",
"templateName": "Malicious email senders.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "92b76a34-502e-4a53-93ec-9fc37c3b358c",
"templateName": "New TABL Items.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935",
"templateName": "Emails containing links to IP addresses.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "e6259b03-622e-4e11-9c54-94987dad7c14",
"templateName": "Good emails from senders with bad patterns.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72",
"templateName": "Hunt for email conversation take over attempts.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "57f95ba7-938d-4a76-b411-c01034c0d167",
"templateName": "Hunt for malicious URLs using external IOC source.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe",
"templateName": "Hunt for malicious attachments using external IOC source.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "54569b06-47fc-41ae-9b00-f7d9b61337b6",
"templateName": "Inbox rule change which forward-redirect email.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2",
"templateName": "MDO_CountOfRecipientsEmailaddressbySubject.YAML",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b95994d1-1008-4c42-a74f-9f2967e39ed6",
"templateName": "MDO_CountOfSendersEmailaddressbySubject.YAML",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "f840db5b-87c9-43c8-a8c3-5b6b83838cd4",
"templateName": "MDO_Countofrecipientsemailaddressesbysubject.YAML",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "a96c1571-1f7d-48dc-8287-7df5a5f0d987",
"templateName": "MDO_SummaryOfSenders.YAML",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "2c6e7f75-d83c-4344-afdc-83335fe550e6",
"templateName": "MDO_URLClickedinEmail.YAML",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6",
"templateName": "Detections by detection methods.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "da7b973a-0045-4fd6-9161-269369336d24",
"templateName": "Mail reply to new domain.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "6b478186-da3b-4d71-beaa-aa5b42908499",
"templateName": "Mailflow by directionality.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "da932998-81dd-4be4-963c-f4890cb4192e",
"templateName": "Malicious emails detected per day.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b2beec6a-2c1c-4319-a191-e70c2ee42857",
"templateName": "Sender recipient contact establishment.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "12225f50-9d41-4b78-8269-cc127d98654c",
"templateName": "Top 100 malicious email senders.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "cadf6e78-2a9a-4fb5-b788-30a592d699d3",
"templateName": "Top 100 senders.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "95b0c7ed-2853-4343-80a9-ab076cf31e51",
"templateName": "Zero day threats.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "439f817c-845c-4dda-a8d9-5c1f6831cee9",
"templateName": "Email containing malware accessed on a unmanaged device.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "07c85687-6dee-4266-9345-1e34de85d989",
"templateName": "Email containing malware sent by an internal sender.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea",
"templateName": "Email malware detection report.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "a3619c75-a927-4dbb-91cc-9adc55e95bda",
"templateName": "Malware detections by detection methods.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "fd68706e-8e3e-4ccd-9230-1f267bdad4c8",
"templateName": "Admin overrides.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "c73ae295-d120-4f79-aaed-de005f766ad2",
"templateName": "Top policies performing admin overrides.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "fe2cb53e-4eb3-4676-87c1-f80d2813f542",
"templateName": "Top policies performing user overrides.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9",
"templateName": "User overrides.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808",
"templateName": "Appspot phishing abuse.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "9d59be10-54d9-478b-b669-fb4eb8517cd0",
"templateName": "PhishDetectionByDetectionMethod.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "25150085-015a-4673-9b67-bc6ad9475500",
"templateName": "Campaign with randomly named attachments.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "9b086a51-e396-4718-90d7-f7b3646e6581",
"templateName": "Campaign with suspicious keywords.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "516046e8-a460-4f7b-86eb-421d3a9cdff1",
"templateName": "Custom detection-Emails with QR from non-prevalent senders.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "594fe5a1-53b6-466b-86df-028366c3994e",
"templateName": "Emails delivered having URLs from QR codes.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "706b711a-7622-40f1-9ebb-331d1a0ff697",
"templateName": "Emails with QR codes and suspicious keywords in subject.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "f708c866-073a-4107-a60b-ba6f86e54caa",
"templateName": "Emails with QR codes from non-prevalent sender.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "68aa199c-259b-4bb0-8e7a-8ed6f96c5525",
"templateName": "Hunting for sender patterns.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "8c852f12-499f-499b-afc1-25c50aa9b462",
"templateName": "Hunting for user signals-clusters.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "f6354c94-3a95-4235-8530-414f016a7bf6",
"templateName": "Inbound emails with QR code URLs.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "dc7e1eb5-16f5-4ad5-96a1-794970f4b310",
"templateName": "Personalized campaigns based on the first few keywords.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "54d3455d-27e0-4ceb-99f9-375abd620151",
"templateName": "Personalized campaigns based on the last few keywords.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "8d298b5c-feca-4add-bd42-e43e0a317a88",
"templateName": "Risky sign-in attempt from a non-managed device.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "3131d0ba-32c9-483e-a25c-82e26a07e116",
"templateName": "Suspicious sign-in attempts from QR code phishing campaigns.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "a12cac64-ea6d-46d4-91a6-262b165fb9ad",
"templateName": "Group quarantine release.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "9e8faa62-7222-48a5-a78f-ef2d22f866dc",
"templateName": "High Confidence Phish Released.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "6f96f6d7-d972-421e-a59f-6b9a8de81324",
"templateName": "Quarantine Release Email Details.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "9f135aef-ad25-4df2-bdab-8399978a36a2",
"templateName": "Quarantine release trend.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "99713387-9d61-49eb-8edc-f51153d8bb01",
"templateName": "Email remediation action list.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "6a570927-8638-4a6f-ac09-72a7d51ffa3c",
"templateName": "Display Name - Spoof and Impersonation.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "cdc4da1c-64a1-4941-be59-1f5cc85481ab",
"templateName": "Referral phish emails.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "b3180ac0-6d94-494a-8b8c-fcc84319ea6e",
"templateName": "Spoof and impersonation detections by sender IP.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "011c3d48-f6ca-405f-9763-66c7856ad2ba",
"templateName": "Spoof and impersonation phish detections.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "e90345b3-439c-44e1-a85d-8ae84ad9c65b",
"templateName": "User not covered under display name impersonation.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "71aeb41d-c85c-4569-bb08-6f1cd38bca49",
"templateName": "Admin reported submissions.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "1c390fd7-2668-4445-9b7d-055f3851be5f",
"templateName": "Status of submissions.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "2d2351ca-e9a6-4286-b445-a9268189c1dc",
"templateName": "Top submitters of admin submissions.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "8c9bc29b-f32a-49fe-8fe8-450479f4130f",
"templateName": "Top submitters of user submissions.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "0bd33643-c517-48b1-8211-25a7fbd15a50",
"templateName": "User reported submissions.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "de480ca4-4095-4fef-b3e7-2a3f17f24e78",
"templateName": "Attacked more than x times average.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27",
"templateName": "Malicious mails by sender IPs.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "27ee28e7-423b-48c9-a410-cbc6c8e21d25",
"templateName": "Top 10 URL domains attacking organization.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58",
"templateName": "Top 10 percent of most attacked users.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2",
"templateName": "Top external malicious senders.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "a1664330-810a-473b-b354-acbaa751a294",
"templateName": "Top targeted users.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "d24e9c4a-b72a-4a85-89cd-83760ae61155",
"templateName": "End user malicious clicks.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "3f007cdc-86bf-4657-9015-05101a3e54f5",
"templateName": "URL click count by click action.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "efe27064-6d35-4720-b7f5-e0326695613d",
"templateName": "URL click on ZAP Email.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "bc46e331-3cb0-483d-9c90-989d2a59457f",
"templateName": "URL clicks actions by URL.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "03e61096-20d0-46eb-b8e0-a507dd00a19f",
"templateName": "URLClick details based on malicious URL click alert.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "f075d4c4-cf76-4e5d-9c2d-9ed524286316",
"templateName": "User clicked through events.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "891f4865-75e5-4d40-bc24-ebf97da3ca9a",
"templateName": "User clicks on malicious inbound emails.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "d823da0e-1334-4a66-8ff4-2c2c40d26295",
"templateName": "User clicks on phishing URLs in emails.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "08aff8c6-b983-43a3-be95-68a10c3d35e6",
"templateName": "Phishing Email Url Redirector.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9",
"templateName": "SafeLinks URL detections.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
{
"id": "c10b22a0-6021-46f9-bdaf-05bf2350a554",
"templateName": "Total ZAP count.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
}
// Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End
]

90
.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json
Просмотреть файл

@ -530,5 +530,93 @@
"df292d06-f348-41ad-b780-0abb5acfe9ab",
"b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8",
"13424be6-aed7-448b-afe5-c03d8b29b4fe",
"04384937-e927-4595-8f3c-89ff58ed231f"
"04384937-e927-4595-8f3c-89ff58ed231f",
"518e6938-10ef-4165-af19-82f1287141bc",
"b6392f39-a1f4-4ec8-8689-4cb9d28c295a",
"16eda414-1550-4cdc-8512-0769901d3f05",
"7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422",
"5971f2e7-1bb2-4170-aa7a-577ed8a45c72",
"ba1a91ad-1f99-4386-b191-06a76ef213f8",
"bc2d8214-afb6-4876-b210-25b69325b9b2",
"712ffdd8-ddce-4372-85dd-063029b418cf",
"deb4b2c6-c10e-4044-8cf4-84243e40db73",
"81ede5df-2ec3-40a5-9dff-1fe6a841079d",
"63c799bc-7567-4e4d-97be-e143fcfaa333",
"92b76a34-502e-4a53-93ec-9fc37c3b358c",
"8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935",
"e6259b03-622e-4e11-9c54-94987dad7c14",
"fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72",
"57f95ba7-938d-4a76-b411-c01034c0d167",
"0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe",
"54569b06-47fc-41ae-9b00-f7d9b61337b6",
"430a9c0d-f3ce-46a3-a994-92b3ada0d1b2",
"b95994d1-1008-4c42-a74f-9f2967e39ed6",
"f840db5b-87c9-43c8-a8c3-5b6b83838cd4",
"a96c1571-1f7d-48dc-8287-7df5a5f0d987",
"2c6e7f75-d83c-4344-afdc-83335fe550e6",
"1c51e10e-7f77-40bc-bd37-6aa55cdf94d6",
"da7b973a-0045-4fd6-9161-269369336d24",
"6b478186-da3b-4d71-beaa-aa5b42908499",
"da932998-81dd-4be4-963c-f4890cb4192e",
"b2beec6a-2c1c-4319-a191-e70c2ee42857",
"12225f50-9d41-4b78-8269-cc127d98654c",
"cadf6e78-2a9a-4fb5-b788-30a592d699d3",
"95b0c7ed-2853-4343-80a9-ab076cf31e51",
"439f817c-845c-4dda-a8d9-5c1f6831cee9",
"07c85687-6dee-4266-9345-1e34de85d989",
"23dbd58b-23ce-42ae-b4d1-0dfdd35871ea",
"a3619c75-a927-4dbb-91cc-9adc55e95bda",
"fd68706e-8e3e-4ccd-9230-1f267bdad4c8",
"c73ae295-d120-4f79-aaed-de005f766ad2",
"fe2cb53e-4eb3-4676-87c1-f80d2813f542",
"b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9",
"cdac93ef-56c0-45bf-9e7f-9cbf0ad06808",
"9d59be10-54d9-478b-b669-fb4eb8517cd0",
"25150085-015a-4673-9b67-bc6ad9475500",
"9b086a51-e396-4718-90d7-f7b3646e6581",
"516046e8-a460-4f7b-86eb-421d3a9cdff1",
"594fe5a1-53b6-466b-86df-028366c3994e",
"706b711a-7622-40f1-9ebb-331d1a0ff697",
"f708c866-073a-4107-a60b-ba6f86e54caa",
"68aa199c-259b-4bb0-8e7a-8ed6f96c5525",
"8c852f12-499f-499b-afc1-25c50aa9b462",
"f6354c94-3a95-4235-8530-414f016a7bf6",
"dc7e1eb5-16f5-4ad5-96a1-794970f4b310",
"54d3455d-27e0-4ceb-99f9-375abd620151",
"8d298b5c-feca-4add-bd42-e43e0a317a88",
"3131d0ba-32c9-483e-a25c-82e26a07e116",
"a12cac64-ea6d-46d4-91a6-262b165fb9ad",
"9e8faa62-7222-48a5-a78f-ef2d22f866dc",
"6f96f6d7-d972-421e-a59f-6b9a8de81324",
"9f135aef-ad25-4df2-bdab-8399978a36a2",
"99713387-9d61-49eb-8edc-f51153d8bb01",
"6a570927-8638-4a6f-ac09-72a7d51ffa3c",
"cdc4da1c-64a1-4941-be59-1f5cc85481ab",
"b3180ac0-6d94-494a-8b8c-fcc84319ea6e",
"011c3d48-f6ca-405f-9763-66c7856ad2ba",
"e90345b3-439c-44e1-a85d-8ae84ad9c65b",
"71aeb41d-c85c-4569-bb08-6f1cd38bca49",
"1c390fd7-2668-4445-9b7d-055f3851be5f",
"2d2351ca-e9a6-4286-b445-a9268189c1dc",
"8c9bc29b-f32a-49fe-8fe8-450479f4130f",
"0bd33643-c517-48b1-8211-25a7fbd15a50",
"de480ca4-4095-4fef-b3e7-2a3f17f24e78",
"a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27",
"27ee28e7-423b-48c9-a410-cbc6c8e21d25",
"e3b7b5c1-0e50-4dfb-b73a-c226636eaf58",
"9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2",
"a1664330-810a-473b-b354-acbaa751a294",
"d24e9c4a-b72a-4a85-89cd-83760ae61155",
"3f007cdc-86bf-4657-9015-05101a3e54f5",
"efe27064-6d35-4720-b7f5-e0326695613d",
"bc46e331-3cb0-483d-9c90-989d2a59457f",
"03e61096-20d0-46eb-b8e0-a507dd00a19f",
"f075d4c4-cf76-4e5d-9c2d-9ed524286316",
"891f4865-75e5-4d40-bc24-ebf97da3ca9a",
"d823da0e-1334-4a66-8ff4-2c2c40d26295",
"08aff8c6-b983-43a3-be95-68a10c3d35e6",
"492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9",
"c10b22a0-6021-46f9-bdaf-05bf2350a554"
]

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 518e6938-10ef-4165-af19-82f1287141bc
name: ATP policy status check
description: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
description-detailed: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where Application == "Microsoft Exchange Online"
| where ActionType == "Set-AtpPolicyForO365"
| mv-expand ActivityObjects
| extend Name = tostring(ActivityObjects.Name)
| extend Value = tostring(ActivityObjects.Value)
| where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen")
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/ATP%20policy%20status%20check.yaml'

16
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml
Просмотреть файл

@ -1,18 +1,4 @@
id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
name: JNLP-File-Attachment
description: |
JNLP file extensions are an uncommon file type often used to deliver malware.
description-detailed: |
JNLP file extensions are an uncommon file type often used to deliver malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where FileName endswith ".jnlp"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/JNLP%20attachment.yaml'

21
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml
Просмотреть файл

@ -1,23 +1,4 @@
id: 16eda414-1550-4cdc-8512-0769901d3f05
name: Safe Attachments detections
description: |
This query provides insights on the detections done by Safe Attachment detections
description-detailed: |
This query provides insights on the detections done by Safe Attachment detections.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
| extend detection= tostring(parse_json(DetectionMethods).Phish)
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/Safe%20attachment%20detection.yaml'

21
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml
Просмотреть файл

@ -1,23 +1,4 @@
id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
name: Authentication failures by time and authentication type
description: |
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
description-detailed: |
This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (30d)
| project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Authentication%20failures.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
name: Spoof attempts with auth failure
description: |
This query helps in checking for spoofing attempts on the domain with Authentication failures
description-detailed: |
This query helps in checking for spoofing attempts on the domain with Authentication failures.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (1d) and DetectionMethods contains "spoof"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml'

27
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml
Просмотреть файл

@ -1,29 +1,4 @@
id: ba1a91ad-1f99-4386-b191-06a76ef213f8
name: Audit Email Preview-Download action
description: |
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
description-detailed: |
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
| evaluate bag_unpack(AR)
| where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl"
| serialize
| extend RowNumber = row_number()
| mv-expand ExtendedProperties
| evaluate bag_unpack(ExtendedProperties, 'xp_')
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Audit%20Email%20Preview-Download%20action.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: bc2d8214-afb6-4876-b210-25b69325b9b2
name: Hunt for TABL changes
description: |
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
description-detailed: |
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType contains "TenantAllowBlockListItems"
| order by Timestamp desc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Hunt%20for%20TABL%20changes.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: 712ffdd8-ddce-4372-85dd-063029b418cf
name: Local time to UTC time conversion
description: |
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
description-detailed: |
This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Local%20time%20to%20UTC%20time%20conversion.yaml'

64
Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml
Просмотреть файл

@ -1,66 +1,4 @@
id: deb4b2c6-c10e-4044-8cf4-84243e40db73
name: MDO daily detection summary report
description: |
This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
description-detailed: |
This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AlertEvidence
- EmailEvents
- EmailPostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let QueryTime = 30d;
let Reports = CloudAppEvents
| where Timestamp > ago(QueryTime)
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate)
| extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId)
| extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd"))
| distinct Date_value,NetworkMessageID
| summarize count() by Date_value
| project Date_value, MessagesGotReported=count_;
let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish")
| extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict)
| extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
| extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation))
| summarize PostDeliveryTotalAIRInvestigations = count(),
PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"),
PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"),
PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious")
by Date_value //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks
| project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious;
let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime)
| extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
| project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress);
let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID
| extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received
| summarize PostDeliveryZAP=count() by Date_value);
let DeliveryByThreat = (DeliveryInboundEvents
| where Timestamp > ago(QueryTime)
| extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
| extend MDO_detection = parse_json(DetectionMethods)
| extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
| extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)"))
| summarize TotalEmails = count(),
Clean = countif(FirstSubcategory contains "Clean"),
Malware = countif(FirstSubcategory contains "Malware"),
Phish = countif(FirstSubcategory contains "Phish"),
Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"),
Bulk = countif(FirstSubcategory contains "Bulk")
by Date_value;
DeliveryByThreat
| join kind=fullouter Reports on Date_value
| join kind=fullouter PostDeliveryEvents on Date_value
| join kind=fullouter ThreatByAutomation on Date_value
| sort by Date_value asc
| project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/MDO%20daily%20detection%20summary%20report.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
name: Mail item accessed
description: |
This query helps reviewing emails accessed by end users using cloud app events data
description-detailed: |
This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| where Record == 50
| take 10
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Mail%20item%20accessed.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 63c799bc-7567-4e4d-97be-e143fcfaa333
name: Malicious email senders
description: |
This query helps hunting for emails from a sender with at least one email in quarantine
description-detailed: |
This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let SenderWithQuarantine = EmailEvents
| where LatestDeliveryLocation == "Quarantine"
| project SenderFromAddress;
EmailEvents
| where LatestDeliveryLocation == "Inbox/folder"
| where SenderFromAddress in (SenderWithQuarantine)
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Malicious%20email%20senders.yaml'

31
Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml
Просмотреть файл

@ -1,33 +1,4 @@
id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
name: New TABL Items
description: |
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
description-detailed: |
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType == "New-TenantAllowBlockListItems"
| extend Parameters = RawEventData.Parameters
| mv-apply Parameters on (
extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value)
| summarize Parameters=make_bag(Out)
)
| extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes
| extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy))
| project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId
| order by Timestamp desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountUpn
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/New%20TABL%20Items.yaml'

16
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml
Просмотреть файл

@ -1,18 +1,4 @@
id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
name: Emails containing links to IP addresses
description: |
This query helps hunting for Emails containing links to IP addresses
description-detailed: |
This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Emails%20containing%20links%20to%20IP%20addresses.yaml'

28
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml
Просмотреть файл

@ -1,30 +1,4 @@
id: e6259b03-622e-4e11-9c54-94987dad7c14
name: Good emails from senders with bad patterns
description: |
This query helps hunting for good emails from senders with bad patterns
description-detailed: |
This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Good emails from senders with bad patterns
let PctPhishThreshold = 50;
let LookbackWindow = 1d;
EmailEvents
| where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
| where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
| summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
| project-away SenderMailFromAddress1,AuthenticationDetails1
| extend PctPhish = (PhishCount*100 / TotalCount)
| where PctPhish < 100 and PctPhish>= PctPhishThreshold
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Good%20emails%20from%20senders%20with%20bad%20patterns.yaml'

38
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml
Просмотреть файл

@ -1,40 +1,4 @@
id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
name: Hunt for email conversation take over attempts
description: |
This query helps hunting for email conversation take over attempts
description-detailed: |
This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| distinct Pair;
let EmailDomains = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| distinct SenderFromDomain;
EmailEvents
| where Timestamp >= ago(4hrs)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftouter ( emailDelivered ) on Pair
| order by SenderMailFromAddress
| where NewMsg == false
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20email%20conversation%20take%20over%20attempts.yaml'

26
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml
Просмотреть файл

@ -1,28 +1,4 @@
id: 57f95ba7-938d-4a76-b411-c01034c0d167
name: Hunt for malicious URLs using external IOC source
description: |
This query helps hunt for emails with malicious URLs based on external IOC source
description-detailed: |
This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
with (format="txt"))
| project url;
url
| join (EmailUrlInfo
| where Timestamp > ago(2h)
) on $left.url == $right.Url
|join EmailEvents on NetworkMessageId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20attachments%20using%20external%20IOC%20source.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
name: Hunt for malicious attachments using external IOC source
description: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
description-detailed: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let abuse_sha256 = (externaldata(sha256_hash: string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash;
abuse_sha256
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20URLs%20using%20external%20IOC%20source.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
name: Inbox rule changes which forward-redirect email
description: |
This query helps hunting for Inbox rule changes which forward-redirect email
description-detailed: |
This query helps hunting for Inbox rule changes which forward-redirect email
Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Persistence
relevantTechniques:
- T1098
query: |
CloudAppEvents
| where ActionType contains "Set-InboxRule"
|extend Parameters = tostring((parse_json(RawEventData)).Parameters)
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Inbox%20rule%20change%20which%20forward-redirect%20email.yaml'

31
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML
Просмотреть файл

@ -1,33 +1,4 @@
id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2
name: MDO_CountOfRecipientsEmailaddressbySubject
description: |
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
author:
name: Matt Novitsch
support:
tier: Community
categories:
domains: [ "Security" ]
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML'

31
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML
Просмотреть файл

@ -1,33 +1,4 @@
id: b95994d1-1008-4c42-a74f-9f2967e39ed6
name: MDO_CountOfSendersEmailaddressbySubject
description: |
Count of sender's email addresses by subject
description-detailed: |
Count of sender's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of sender's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountSenderFromAddress >= 10
| project SenderFromAddress, CountSenderFromAddress, Subject
metadata:
source:
kind: Community
author:
name: Matt Novitsch
support:
tier: Community
categories:
domains: [ "Security" ]
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML'

31
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML
Просмотреть файл

@ -1,33 +1,4 @@
id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4
name: MDO_Countofrecipientsemailaddressesbysubject
description: |
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
author:
name: Matt Novitsch
support:
tier: Community
categories:
domains: [ "Security" ]
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML'

34
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML
Просмотреть файл

@ -1,36 +1,4 @@
id: a96c1571-1f7d-48dc-8287-7df5a5f0d987
name: MDO_SummaryOfSenders
description: |
Count of all Senders and where they were delivered
description-detailed: |
Count of all Senders and where they were delivered
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Distinct Count
EmailEvents
| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
Emails = count_distinct(DeliveryLocation == "Inbox/folder"),
JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress
//Count of all Senders and where they were delivered
EmailEvents
| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
Emails = count(DeliveryLocation == "Inbox/folder"),
JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress
metadata:
source:
kind: Community
author:
name: Matt Novitsch
support:
tier: Community
categories:
domains: [ "Security" ]
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_SummaryOfSenders.YAML'

27
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML
Просмотреть файл

@ -1,29 +1,4 @@
id: 2c6e7f75-d83c-4344-afdc-83335fe550e6
name: MDO_URLClickedinEmail
description: |
URLs clicked in Email
description-detailed: |
URLs clicked in Email
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ActionType == "ClickAllowed"
//| where ActionType <> "ClickAllowed"
| project AccountUpn, ActionType, Url
metadata:
source:
kind: Community
author:
name: Matt Novitsch
support:
tier: Community
categories:
domains: [ "Security" ]
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_URLClickedinEmail.YAML'

44
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml
Просмотреть файл

@ -1,46 +1,4 @@
id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6
name: Detections by detection methods
description: |
This query helps reviewing malicious email detections by detection methods
description-detailed: |
This query helps reviewing malicious email detections by detection methods in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
| where isnotempty(DetectionMethods)
| extend MDO_detection = parse_json(DetectionMethods)
| summarize TotalEmailCount = count(),
Phish_detection = countif(isnotempty(MDO_detection.Phish)),
Malware_detection = countif(isnotempty(MDO_detection.Malware)),
Spam_detection = countif(isnotempty( MDO_detection.Spam)),
URL_malicious_reputation = countif(MDO_detection.Phish == @'["URL malicious reputation"]' or MDO_detection.Malware == @'["URL malicious reputation"]'),
URL_detonation_reputation = countif(MDO_detection.Phish == @'["URL detonation reputation"]' or MDO_detection.Malware == @'["URL detonation reputation"]'),
URL_detonation = countif(MDO_detection.Phish == @'["URL detonation"]' or MDO_detection.Malware == @'["URL detonation"]'),
Advanced_filter = countif(MDO_detection.Phish == @'["Advanced filter"]'),
General_filter = countif(MDO_detection.Phish == @'["General filter"]'),
Spoof_intra_org = countif(MDO_detection.Phish == @'["Spoof intra-org"]'),
Spoof_external_domain = countif(MDO_detection.Phish == @'["Spoof external domain"]'),
Spoof_DMARC = countif(MDO_detection.Phish == @'["Spoof DMARC"]'),
Impersonation_brand = countif(MDO_detection.Phish == @'["Impersonation brand"]'),
Impersonation_user = countif(MDO_detection.Phish == @'["Impersonation user"]'),
Impersonation_domain = countif(MDO_detection.Phish == @'["Impersonation domain"]'),
Mixed_analysis_detection= countif(MDO_detection.Phish == @'["Mixed analysis detection"]'),
File_reputation = countif(MDO_detection.Phish == @'["File reputation"]' or MDO_detection.Malware == @'["File reputation"]'),
File_detonation = countif(MDO_detection.Phish == @'["File detonation"]' or MDO_detection.Malware == @'["File detonation"]'),
File_detonation_reputation = countif(MDO_detection.Phish == @'["File detonation reputation"]' or MDO_detection.Malware == @'["File detonation reputation"]'),
Antimalware_engine = countif(MDO_detection.Malware == @'["Antimalware engine"]'),
Fingerprint_matching = countif(MDO_detection.Phish == @'["Fingerprint matching"]'),
Mailbox_intelligence_impersonation = countif(MDO_detection.Phish == @'["Mailbox intelligence impersonation"]'),
Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d)
| project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain,
Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Detections%20by%20detection%20methods.yaml'

38
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml
Просмотреть файл

@ -1,40 +1,4 @@
id: da7b973a-0045-4fd6-9161-269369336d24
name: Mail reply to new domain
description: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
description-detailed: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| distinct Pair;
let EmailDomains = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| distinct SenderFromDomain;
EmailEvents
| where Timestamp >= ago(4hrs)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftouter ( emailDelivered ) on Pair
| order by SenderMailFromAddress
| where NewMsg == false
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mail%20reply%20to%20new%20domain.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: 6b478186-da3b-4d71-beaa-aa5b42908499
name: Mailflow by directionality
description: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
description-detailed: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mailflow%20by%20directionality.yaml'

27
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml
Просмотреть файл

@ -1,29 +1,4 @@
id: da932998-81dd-4be4-963c-f4890cb4192e
name: Malicious emails detected per day
description: |
This query helps reviewing Malware, Phishing, Spam emails caught per day
description-detailed: |
This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
| extend detection= parse_json(DetectionMethods)
| extend Spam = tostring(detection.Spam)
| extend Phish = tostring(detection.Phish)
| extend Malware = tostring(detection.Malware)
| where Spam != '' or Phish != '' or Malware != ''
| extend detection = case(
Malware != "", 'Malware',
Phish != "", 'Phish',
'Spam')
| summarize total=count() by detection, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Malicious%20emails%20detected%20per%20day.yaml'

33
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml
Просмотреть файл

@ -1,35 +1,4 @@
id: b2beec6a-2c1c-4319-a191-e70c2ee42857
name: Sender recipient contact establishment
description: |
This query helps in checking the sender-recipient contact establishment status
description-detailed: |
This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(30d)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occured.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft" //Change the name here
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Sender%20recipient%20contact%20establishment.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: 12225f50-9d41-4b78-8269-cc127d98654c
name: Top 100 malicious email senders
description: |
This query helps reviewing top 100 malicious senders
description-detailed: |
This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize total=count() by SenderMailFromAddress
| top 100 by total
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20malicious%20email%20senders.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
name: Top 100 senders
description: |
This query helps reviewing top 100 senders in your organization in last 30 days
description-detailed: |
This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| summarize mailCountBySender = count() by SenderMailFromAddress
| top 100 by mailCountBySender
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20senders.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
name: Zero day threats
description: |
This query helps reviewing zero day threats via URL and file detonations
description-detailed: |
This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation"
| count
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Zero%20day%20threats.yaml'

28
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml
Просмотреть файл

@ -1,30 +1,4 @@
id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
name: Email containing malware accessed on a unmanaged device
description: |
In this query, we are looking for emails containing malware accessed on a unmanaged device
description-detailed: |
In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Execution
relevantTechniques:
- T1204
query: |
EmailPostDeliveryEvents
| where ActionType == "Malware ZAP"
| project NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,ZAPReportId=ReportId,ZAPTimestamp=Timestamp
| join (CloudAppEvents | where ActionType == "MailItemsAccessed"
| extend RawEvent=parse_json(RawEventData)
| mv-expand RawEvent.Folders
| mv-expand RawEvent_Folders.FolderItems
| project SessionId=tostring(RawEvent.SessionId),InternetMessageId=tostring(parse_json(RawEvent_Folders_FolderItems).InternetMessageId),ActionTimestamp=Timestamp,ActionReportId=ReportId
) on InternetMessageId
| where isnotempty(SessionId)
| join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20accessed%20on%20a%20unmanaged%20device.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: 07c85687-6dee-4266-9345-1e34de85d989
name: Email containing malware sent by an internal sender
description: |
In this query, we are looking for emails containing malware attachment sent by an internal sender
description-detailed: |
In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- LateralMovement
relevantTechniques:
- T1534
query: |
EmailEvents
| where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
| where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20sent%20by%20an%20internal%20sender.yaml'

24
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml
Просмотреть файл

@ -1,26 +1,4 @@
id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
name: Email malware detection report
description: |
This query helps reviewing email malware detection cases
description-detailed: |
This query helps reviewing email malware detection cases in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatNames)
| join kind=inner EmailAttachmentInfo on NetworkMessageId
| extend ThreatFamilyAttachment = strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " /", ThreatNames, " /", FileName, " /", NetworkMessageId)
| summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress
| extend Case = array_length(ThreatFamily_wih_Attachment)
| project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment
| sort by Case desc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20malware%20detection%20report.yaml'

30
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml
Просмотреть файл

@ -1,32 +1,4 @@
id: a3619c75-a927-4dbb-91cc-9adc55e95bda
name: Malware detections by detection methods
description: |
This query helps reviewing malware detections by detection methods
description-detailed: |
This query helps reviewing malware detections by detection methods in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DetectionMethods)
| extend MDO_detection = parse_json(DetectionMethods)
| where MDO_detection.Malware in
(
@'["File detonation reputation"]',
@'["File detonation"]',
@'["File reputation"]',
@'["Antimalware engine"]',
@'["URL malicious reputation"]',
@'["URL detonation reputation"]',
@'["URL detonation"]'
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Malware%20detections%20by%20detection%20methods.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8
name: Admin overrides
description: |
This query helps in reviewing malicious emails allowed due to admin overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and OrgLevelAction == "Allow"
| count
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Admin%20overrides.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: c73ae295-d120-4f79-aaed-de005f766ad2
name: Top policies performing admin overrides
description: |
This query helps in reviewing top policies for admin overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow" //"Block"
| summarize count() by OrgLevelPolicy
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20admin%20overrides.yaml'

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml
Просмотреть файл

@ -1,20 +1,4 @@
id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
name: Top policies performing user overrides
description: |
This query helps in reviewing top policies for user overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
| summarize count() by UserLevelPolicy
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20user%20overrides.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9
name: User overrides
description: |
This query helps in reviewing malicious emails allowed due to user overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and UserLevelAction == "Allow"
| count
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/User%20overrides.yaml'

29
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml
Просмотреть файл

@ -1,31 +1,4 @@
id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
name: Appspot Phishing Abuse
description: |
This query helps surface phishing campaigns associated with Appspot abuse.
description-detailed: |
This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
// Detect URLs with a subdomain on appspot.com
| where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b'
// Enrich results with sender and recipient data
| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId
// Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI
// Example 1: https://example-dot-example.appspot.com/#recipient@domain.com
// Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com
| where Url has RecipientEmailAddress
// Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
or Url has base64_encode_tostring(RecipientEmailAddress)
| project-away Timestamp1, NetworkMessageId1, ReportId1
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/Appspot%20phishing%20abuse.yaml'

37
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml
Просмотреть файл

@ -1,39 +1,4 @@
id: 9d59be10-54d9-478b-b669-fb4eb8517cd0
name: Phish detections by detection methods
description: |
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days
description-detailed: |
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
| where isnotempty(DetectionMethods)
| extend MDO_detection = parse_json(DetectionMethods)
| where MDO_detection.Phish in
(
@'["URL malicious reputation"]',
@'["URL detonation reputation"]',
@'["URL detonation"]',
@'["Advanced filter"]',
@'["General filter"]',
@'["Spoof intra-org"]',
@'["Spoof external domain"]',
@'["Spoof DMARC"]',
@'["Impersonation brand"]',
@'["Mixed analysis detection"]',
@'["File reputation"]',
@'["File detonation reputation"]',
@'["File detonation"]',
@'["Fingerprint matching"]'
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/PhishDetectionByDetectionMethod.yaml'

22
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml
Просмотреть файл

@ -1,24 +1,4 @@
id: 25150085-015a-4673-9b67-bc6ad9475500
name: Campaign with randomly named attachments
description: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
description-detailed: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("png", "jpg", "jpeg", "gif", "svg")
| where isnotempty(FileName)
| extend firstFourFileName = substring(FileName, 0, 4)
| summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
| where FirstFourFilesCount >= 10
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20randomly%20named%20attachments.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 9b086a51-e396-4718-90d7-f7b3646e6581
name: Campaign with suspicious keywords
description: |
In this detection, we track emails with suspicious keywords in subjects.
description-detailed: |
In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20suspicious%20keywords.yaml'

49
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml
Просмотреть файл

@ -1,51 +1,4 @@
id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
name: Custom detection-Emails with QR from non-prevalent senders
description: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
description-detailed: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
| where UrlLocation == "QRCode"
| distinct Url,NetworkMessageId;
let nMIDs = QRCode_emails | distinct NetworkMessageId;
// Extracting sender of the email with QRCode:
let senders_NMIDs = EmailEvents
| where Timestamp > ago (2d)
| where DeliveryAction != "Blocked" // Only delivered or Junked emails are interesting
| where isnotempty(NetworkMessageId)
| where NetworkMessageId in (nMIDs)
| distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId;
let senders = senders_NMIDs
| distinct SenderFromAddress;
// Checking sender prevalence in the organization
let senderprevalence = EmailEvents
| where Timestamp between (ago(14d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| where SenderFromAddress in (senders)
| summarize TotalEmailCount = count() by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
// Checking where email sender was not prevalent.
let nMIDs_from_non_prevalent_Senders = senders_NMIDs
| where SenderFromAddress !in (prevalent_Sender)
| distinct NetworkMessageId;
let QRCode_emails_from_non_prevalent_senders = QRCode_emails
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
QRCode_emails_from_non_prevalent_senders
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Custom%20detection-Emails%20with%20QR%20from%20non-prevalent%20senders.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 594fe5a1-53b6-466b-86df-028366c3994e
name: Emails delivered having URLs from QR codes
description: |
In this query, we hunt for inbound emails delivered having URLs from QR codes
description-detailed: |
In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20delivered%20having%20URLs%20from%20QR%20codes.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 706b711a-7622-40f1-9ebb-331d1a0ff697
name: Emails with QR codes and suspicious keywords in subject
description: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let SubjectKeywords = ()
{pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");};
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20and%20suspicious%20keywords%20in%20subject.yaml'

34
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml
Просмотреть файл

@ -1,36 +1,4 @@
id: f708c866-073a-4107-a60b-ba6f86e54caa
name: Emails with QR codes from non-prevalent sender
description: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let senderprevalence =
EmailEvents
| where Timestamp between (ago(7d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
let QR_from_non_prevalent =
EmailEvents
| where EmailDirection == "Inbound"
| where Timestamp > ago(1d)
| where SenderFromAddress !in (prevalent_Sender)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20from%20non-prevalent%20sender.yaml'

45
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml
Просмотреть файл

@ -1,47 +1,4 @@
id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
name: Hunting for sender patterns
description: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
description-detailed: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingSenderDisplayNames = ()
{
pack_array("IT", "support", "Payroll", "HR", "admin", "2FA", "notification", "sign", "reminder", "consent", "workplace",
"administrator", "administration", "benefits", "employee", "update", "on behalf");
};
let suspiciousEmails = EmailEvents
| where Timestamp > ago(1d)
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join kind=inner (EmailAttachmentInfo
| where Timestamp > ago(1d)
| where isempty(SenderObjectId)
| where FileType has_any ("png", "jpg", "jpeg", "bmp", "gif")
) on NetworkMessageId
| where SenderDisplayName has_any (PhishingSenderDisplayNames())
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId;
let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain;
let prevalentSenders = materialize(EmailEvents
| where Timestamp between (ago(7d) .. ago(1d))
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where SenderFromDomain in (suspiciousSenders)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| distinct SenderFromDomain);
suspiciousEmails
| where SenderFromDomain !in (prevalentSenders)
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20sender%20patterns.yaml'

24
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml
Просмотреть файл

@ -1,26 +1,4 @@
id: 8c852f12-499f-499b-afc1-25c50aa9b462
name: Hunting for user signals-clusters
description: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
description-detailed: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let suspiciousClusters = EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where NetworkMessageId in ("5ff15b1f-d731-4625-4c1c-08dc8615943f","00ff0916-1263-428c-a558-08dc86a6d3cd") //<List of suspicious Network Message Ids from Alerts>
| distinct EmailClusterId;
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where EmailClusterId in (suspiciousClusters)
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20user%20signals-clusters.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: f6354c94-3a95-4235-8530-414f016a7bf6
name: Inbound emails with QR code URLs
description: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
description-detailed: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Inbound%20emails%20with%20QR%20code%20URLs.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
name: Personalized campaigns based on the first few keywords
description: |
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
| where SubjectsCount >= 10
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20first%20few%20keywords.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 54d3455d-27e0-4ceb-99f9-375abd620151
name: Personalized campaigns based on the last few keywords
description: |
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
| where SubjectsCount >= 10
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20last%20few%20keywords.yaml'

29
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml
Просмотреть файл

@ -1,31 +1,4 @@
id: 8d298b5c-feca-4add-bd42-e43e0a317a88
name: Risky sign-in attempt from a non-managed device
description: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
description-detailed: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsManaged != 1
| where IsCompliant != 1
//Filtering only for medium and high risk sign-in
| where RiskLevelDuringSignIn in (50, 100)
| where ClientAppUsed == "Browser"
| where isempty(DeviceTrustType)
| where isnotempty(State) or isnotempty(Country) or isnotempty(City)
| where isnotempty(IPAddress)
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Risky%20sign-in%20attempt%20from%20a%20non-managed%20device.yaml'

45
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml
Просмотреть файл

@ -1,47 +1,4 @@
id: 3131d0ba-32c9-483e-a25c-82e26a07e116
name: Suspicious sign-in attempts from QR code phishing campaigns
description: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
description-detailed: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let successfulRiskySignIn = materialize(AADSignInEventsBeta
| where Timestamp > ago(1d)
| where isempty(DeviceTrustType)
| where IsManaged != 1
| where IsCompliant != 1
| where RiskLevelDuringSignIn in (50, 100)
| project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City
);
let suspiciousSignInUsers = successfulRiskySignIn
| distinct AccountObjectId;
let suspiciousSignInIPs = successfulRiskySignIn
| distinct IPAddress;
let suspiciousSignInCities = successfulRiskySignIn
| distinct City;
CloudAppEvents
| where Timestamp > ago(1d)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId in (suspiciousSignInUsers)
| where IPAddress !in (suspiciousSignInIPs)
| where City !in (suspiciousSignInCities)
| join kind=inner successfulRiskySignIn on AccountObjectId
| where AccountObjectId in (suspiciousSignInUsers)
| where (Timestamp - Timestamp1) between (-5min .. 5min)
| extend folders = RawEventData.Folders
| mv-expand folders
| extend items = folders.FolderItems
| mv-expand items
| extend InternetMessageId = tostring(items.InternetMessageId)
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Suspicious%20sign-in%20attempts%20from%20QR%20code%20phishing%20campaigns.yaml'

22
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml
Просмотреть файл

@ -1,24 +1,4 @@
id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
name: Group quarantine release
description: |
This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
description-detailed: |
This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| extend parsed=parse_json(RawEventData)
| extend NetworkMessageId = tostring(parsed.NetworkMessageId)
| join EmailEvents on NetworkMessageId
| summarize count() by DetectionMethods
| order by count_ desc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Group%20quarantine%20release.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
name: High Confidence Phish Released
description: |
This query shows information about high confidence phish email that has been released from the Quarantine.
description-detailed: |
This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| where todynamic(ConfidenceLevel).Phish == "High"
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/High%20Confidence%20Phish%20Released.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
name: Quarantine Release Email Details
description: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
description-detailed: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20Release%20Email%20Details.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 9f135aef-ad25-4df2-bdab-8399978a36a2
name: Quarantine release trend
description: |
This query helps reviewing quarantine release trend in Defender for Office 365
description-detailed: |
This query helps reviewing quarantine release trend in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| summarize count() by bin(Timestamp, 1d)
| project-rename Releases = count_
| render timechart with (title="Qurantine Releases by Day")
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20release%20trend.yaml'

31
Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml
Просмотреть файл

@ -1,33 +1,4 @@
id: 99713387-9d61-49eb-8edc-f51153d8bb01
name: Listing Email Remediation Actions via Explorer
description: |
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
description-detailed: |
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
- Track each cases with Network Message ID
- Sort the users who got a number of actions
- e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where LatestDeliveryAction in ("Hard delete", "Soft delete", "Moved to junk folder", "Moved to deleted items")
| summarize HardDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Hard delete"),
SoftDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Soft delete"),
MoveToJunk_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to junk folder"),
MoveToDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to deleted items") by RecipientEmailAddress
| extend HardDelete_case = array_length(HardDelete_NetworkID)
| extend SoftDelete_case = array_length(SoftDelete_NetworkID)
| extend MoveToJunk_case = array_length(MoveToJunk_NetworkID)
| extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
| extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
| project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
| order by Sum_case desc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Remediation/Email%20remediation%20action%20list.yaml'

33
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml
Просмотреть файл

@ -1,35 +1,4 @@
id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
name: Display Name - Spoof and Impersonation
description: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
description-detailed: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(24hrs)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occurred.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Display%20Name%20-%20Spoof%20and%20Impersonation.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
name: referral-phish-emails
description: |
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
description-detailed: |
The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let EmailAddresses = pack_array
('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com',
'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com',
'irefferal.com','refferasl.co','zrefferal.com');
EmailEvents
| where SenderMailFromDomain in (EmailAddresses)
| extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
| where SenderFromDomain == RecipientDomain
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Referral%20phish%20emails.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e
name: Spoof and impersonation detections by sender IP
description: |
This query helps reviewing count of spoof and impersonation detections done per sender IP
description-detailed: |
This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4
| summarize count() by SenderIPv4
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20detections%20by%20sender%20IP.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
name: Spoof and impersonation phish detections
description: |
This query helps reviewing count of phish detections done by spoof detection methods
description-detailed: |
This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
| evaluate bag_unpack(DT)
| summarize count() by tostring(Phish)
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20phish%20detections.yaml'

26
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml
Просмотреть файл

@ -1,28 +1,4 @@
id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
name: User not covered under display name impersonation
description: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
description-detailed: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let display_names =
IdentityInfo
| summarize by AccountDisplayName
| project-rename SenderDisplayName = AccountDisplayName;
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatNames != ""
| where ThreatNames !contains "Impersonation User"
| lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName
| where SenderDisplayName != ""
| summarize by SenderDisplayName
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/User%20not%20covered%20under%20display%20name%20impersonation.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
name: Admin reported submissions
description: |
This query helps reviewing admin reported email submissions
description-detailed: |
This query helps reviewing admin reported email submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "AdminSubmission"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Admin%20reported%20submissions.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 1c390fd7-2668-4445-9b7d-055f3851be5f
name: Status of submissions
description: |
This query helps reviewing status of submissions
description-detailed: |
This query helps reviewing status of submissions in Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserKey = (parse_json(RawEventData)).UserKey
| where Record == 29
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| summarize count() by tostring(SubmissionState)
| sort by count_
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Status%20of%20submissions.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 2d2351ca-e9a6-4286-b445-a9268189c1dc
name: Top submitters of admin submissions
description: |
This query helps reviewing top submitters of admin submissions
description-detailed: |
This query helps reviewing top submitters of admin submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserKey = (parse_json(RawEventData)).UserKey
| where Record == 29
| where ActionType == "AdminSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20admin%20submissions.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f
name: Top submitters of user submissions
description: |
This query helps reviewing top submitters of user submissions
description-detailed: |
This query helps reviewing top submitters of user submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserKey = (parse_json(RawEventData)).UserKey
| where Record == 29
| where ActionType == "UserSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20user%20submissions.yaml'

20
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml
Просмотреть файл

@ -1,22 +1,4 @@
id: 0bd33643-c517-48b1-8211-25a7fbd15a50
name: User reported submissions
description: |
This query helps reviewing user reported email submissions
description-detailed: |
This query helps reviewing user reported email submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "UserSubmission"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/User%20reported%20submissions.yaml'

22
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml
Просмотреть файл

@ -1,24 +1,4 @@
id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
name: Attacked more than x times average
description: |
This query helps reviewing count of users attacked more than x times average.
description-detailed: |
This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let AverageThreatPerRecipient = toscalar(EmailEvents
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| summarize avg(total));
EmailEvents
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Attacked%20more%20than%20x%20times%20average.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
name: Malicious mails by sender IPs
description: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
description-detailed: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize count() by SenderIPv4 //SenderIPv6
| sort by count_
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Malicious%20mails%20by%20sender%20IPs.yaml'

25
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml
Просмотреть файл

@ -1,27 +1,4 @@
id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
name: Top 10 URL domains attacking organization
description: |
This query helps reviewing list of top 10 URL domains attacking the organization
description-detailed: |
This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where ThreatTypes != ""
| extend detection= parse_json(DetectionMethods)
| extend Spam = tostring(detection.Spam)
| extend Phish = tostring(detection.Phish)
| where (Spam == '["URL malicious reputation"]') or (Phish == '["URL malicious reputation"]') or (Phish == '["URL detonation reputation"]') or (Phish == '["URL detonation"]')
| join EmailUrlInfo on NetworkMessageId
| summarize total=count() by UrlDomain
| top 10 by total
| render columnchart
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20URL%20domains%20attacking%20organization.yaml'

23
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml
Просмотреть файл

@ -1,25 +1,4 @@
id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
name: Top 10% of most attacked users
description: |
This query helps reviewing the list of top 10% of most attacked users
description-detailed: |
This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let topTargeted = toscalar( EmailEvents
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| summarize percentiles(total,90));
EmailEvents
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| where total >= topTargeted
| order by total desc
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20percent%20of%20most%20attacked%20users.yaml'

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml
Просмотреть файл

@ -1,21 +1,4 @@
id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
name: Top external malicious senders
description: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| summarize count() by SenderFromAddress
| sort by count_
version: 1.0.0
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%20external%20malicious%20senders.yaml'

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше