From 3f4fbc604b5c4ac7cc55d4d2bd73fa3fd819c92e Mon Sep 17 00:00:00 2001 From: "Shain Wray (MSTIC)" Date: Tue, 6 Jul 2021 22:44:02 -0700 Subject: [PATCH] Updating to proper column name and removing validation exception --- .../tests/KqlvalidationsTests/SkipValidationsTemplates.json | 5 ----- .../TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index bd97080d82..c7f74454b8 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -9,11 +9,6 @@ "templateName": "TI map IP entity to GitHub_CL", "validationFailReason": "The name 'OperationType' does not refer to any known column, table, variable or function." }, - { - "id": "f2dd4a3a-ebac-4994-9499-1a859938c947", - "templateName": "Time series anomaly for data size transferred to public internet", - "validationFailReason": "The name 'DestinationIP' does not refer to any known column, table, variable or function." - }, { "id": "e70fa6e0-796a-4e85-9420-98b17b0bb749", "templateName": "Solorigate Defender Detections", diff --git a/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml b/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml index 1da616a5bb..1d7137d776 100644 --- a/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml +++ b/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml @@ -38,7 +38,7 @@ query: | ( VMConnection | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) - | where isnotempty(DestinationIP) and isnotempty(SourceIP) + | where isnotempty(DestinationIp) and isnotempty(SourceIp) | extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" ) | where DestinationIpType == "public" | extend DeviceVendor = "VMConnection" | project TimeGenerated, BytesSent, DeviceVendor