Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated Release Notes

This commit is contained in:
v-rusraut 2024-01-23 11:55:00 +05:30
Родитель c71af4cb20
Коммит 43e3056380
7 изменённых файлов: 51 добавлений и 51 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml
Просмотреть файл

@ -5,8 +5,8 @@ description: |
The query tries to detect suspicious DNS queries known from Cobalt Strike beacons.
description-detailed: |
'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment.
The query tries to detect suspicious DNS queries known from Cobalt Strike beacons.
This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml'
The query tries to detect suspicious DNS queries known from Cobalt Strike beacons.
This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml'
requiredDataConnectors:
- connectorId: DNS
dataTypes:

6
Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml
Просмотреть файл

@ -1,9 +1,9 @@
id: 24ae555c-5e33-4b5d-827a-44206e39f6b4
name: Potential Impacket Execution
description: |
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.'
description-detailed: |
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.'
description-detailed: |
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.
Refrence: https://twitter.com/SBousseaden/status/1286750095296335883'
requiredDataConnectors:
- connectorId: SecurityEvents

Двоичные данные
Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.1.zip
Просмотреть файл

Двоичный файл не отображается.

4
Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -166,7 +166,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \nThe query tries to detect suspicious DNS queries known from Cobalt Strike beacons.\nThis is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml This hunting query depends on DNS AzureMonitor(VMInsights) data connector (DnsEvents VMConnection Parser or Table)"
"text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This hunting query depends on DNS AzureMonitor(VMInsights) data connector (DnsEvents VMConnection Parser or Table)"
}
}
]
@ -180,7 +180,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.\n Refrence: https://twitter.com/SBousseaden/status/1286750095296335883 This hunting query depends on SecurityEvents WindowsSecurityEvents data connector (SecurityEvent SecurityEvent Parser or Table)"
"text": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. This hunting query depends on SecurityEvents WindowsSecurityEvents data connector (SecurityEvent SecurityEvent Parser or Table)"
}
}
]

80
Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json
Просмотреть файл

@ -107,7 +107,7 @@
"tags": [
{
"name": "description",
"value": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \nThe query tries to detect suspicious DNS queries known from Cobalt Strike beacons.\nThis is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml"
"value": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons."
},
{
"name": "tactics",
@ -192,7 +192,7 @@
"tags": [
{
"name": "description",
"value": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.\n Refrence: https://twitter.com/SBousseaden/status/1286750095296335883"
"value": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping."
},
{
"name": "tactics",
@ -284,10 +284,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
]
],
"connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@ -306,6 +306,7 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@ -315,10 +316,10 @@
"identifier": "UPNSuffix",
"columnName": "AccountDomain"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@ -328,10 +329,10 @@
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
],
"entityType": "Host"
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"identifier": "ProcessId",
@ -341,10 +342,10 @@
"identifier": "CommandLine",
"columnName": "ProcessCommandLine"
}
],
"entityType": "Process"
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
@ -354,8 +355,7 @@
"identifier": "Value",
"columnName": "SHA256"
}
],
"entityType": "FileHash"
]
}
]
}
@ -439,10 +439,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"Event"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
@ -456,24 +456,25 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountName"
}
],
"entityType": "Account"
]
},
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ImagePath"
}
],
"entityType": "File"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@ -483,8 +484,7 @@
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
],
"entityType": "Host"
]
}
]
}
@ -568,10 +568,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"Event"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
@ -585,15 +585,16 @@
],
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "TargetFilename"
}
],
"entityType": "File"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@ -603,17 +604,16 @@
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
],
"entityType": "Host"
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"identifier": "CommandLine",
"columnName": "Image"
}
],
"entityType": "Process"
]
}
]
}
@ -697,28 +697,28 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
@ -850,6 +850,7 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@ -859,10 +860,10 @@
"identifier": "NTDomain",
"columnName": "SubjectDomainName"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@ -872,8 +873,7 @@
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
],
"entityType": "Host"
]
}
]
}

4
Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------|
| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |
| 3.0.1 | 23-01-2024 | Added subTechniques in mainTemplate |
| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |

4
Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
Просмотреть файл

@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.1 | 22-01-2024 | |
| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue |
| 3.0.1 | 22-01-2024 | Added subTechniques in mainTemplate |
| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue |