From 43e3056380a548e20c6955bbc6523150dd0f55ac Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Tue, 23 Jan 2024 11:55:00 +0530 Subject: [PATCH] Updated Release Notes --- .../Hunting Queries/CobaltDNSBeacon.yaml | 4 +- .../PotentialImpacketExecution.yaml | 6 +- .../Package/3.0.1.zip | Bin 10994 -> 10759 bytes .../Package/createUiDefinition.json | 4 +- .../Package/mainTemplate.json | 80 +++++++++--------- .../ReleaseNotes.md | 4 +- Solutions/PaloAlto-PAN-OS/ReleaseNotes.md | 4 +- 7 files changed, 51 insertions(+), 51 deletions(-) diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml b/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml index ffcc19b6ed..38ff842f88 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml +++ b/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml @@ -5,8 +5,8 @@ description: | The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. description-detailed: | 'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. - The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. - This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' + The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. + This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' requiredDataConnectors: - connectorId: DNS dataTypes: diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml b/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml index 93060e5ffa..b7fb1171a5 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml +++ b/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml @@ -1,9 +1,9 @@ id: 24ae555c-5e33-4b5d-827a-44206e39f6b4 name: Potential Impacket Execution description: | - 'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.' - description-detailed: | - 'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. + 'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.' +description-detailed: | + 'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. Refrence: https://twitter.com/SBousseaden/status/1286750095296335883' requiredDataConnectors: - connectorId: SecurityEvents diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.1.zip b/Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.1.zip index fc2b89f72c8c36d65fe61b3da5fde403327573f8..a5d1bde354f14401565fb9dd2fdf18c743ec4b9d 100644 GIT binary patch literal 10759 zcmZ{Kb8saP=zRN*EVS#~x!GT@=;MNi(j3)d-00ZNs0RzMNw`%NUYUE<7ZYg1EW@%^X zVrg&3WaVscx2bb(N6?1-X^?*{Lc_>_H#g#_(g>HS=V5Ek9iG!($Ms@F0M026)SX89 zMkyVcgn!a-Kl@7gfx@e)m))x29t0D>c;m&i-8Pr!_r*WN=f|=uPuX!7?P|7UcC_kn zA{`i9>O+T-u;%YK)&wV(g5_-1iX(vX2%7)F-brXN^hHi{1owU~ z#^kMrWuctpe~CDU3&JEOn5{7z+8CMPz%gdQpk82W7@YJ=8BN9`66&rhDtsYNm*pQH zZbQfC)=5Mg9dg|BLz!ZwQAI~3V?g5-P*yd4-*|IkV!1mt4P!JhF>l?O_8Sx0JC`3h zozU3s2FWweZ*DG+MVf;^7Yu+6xROB$3p4Bn_Fihb*hR4tRW1N#F?3RSoj|N*@KH>p z^Uo7J(82|q>DT9R_X@$c@g)wB2gUoTOGevSDxtR>cY{R}8dcu$pwZ5v4zWJs$M8pI zf=b=*ZT2}fp=`?yv^hQ>UanBZK&Mb>@T*VK2rtgg!VEBD_-^pHi#WuoW>4sHz>oD7IMpzjj7p0J;7SK7*v~o^CBLqKQRs?N*lQF|2R`LkXgwwmq z3}vj6QlShSJroc9NN0^eV+W4=r?ACb{6Mxbn0tdv@^Cr)NI_P9v_$a@G9(-YSC>&o z{(%2?u4A1F!b*=sM_vU55eO*rL9^UM+*2e{+<}LTF$q2vy5-*|4USC4{5`y_|3Y1d zJMHv1A40idBap$-jJn9K>$pk9xlS~!@jchBO$S zfQJrn!-ibk;>SyL9cm;n*iJBHVN;9u3Bnz@C%j}52)acG2y*>AaWZV&41E9h&vCIb^@u?bbq)bM+zDNgq)|xTZZD3 zV_14IqU3a(tAm;!i^e9-HY8Z}nG(o8b%o2vHdzOfr&5^(jg$vKaW&>-ebOG0*7dZ- zzHL_8n${m?=bAW_!qB7Y3#P;6i`kt5YZWIOJYl7oQ8HFx2U%}b56M?oT^QVm#T4e} zTQ#1;(6Edu;C(r#J$O44mU*4QNkQigzHTJ|2MfYHeYqeT$fPi<3FGmp>eOWiTUcpk zQc5K2@L^svx8!db{KJ<*dGNSvtf7X+(1NhEarRY6t62h%#3z;{v8Sck>6!K2$ALbC zG1v2FAX9E^AgN7QFTpOb_*WOQw#B?hP(U7~!$yNW`{p-!!`gL@obB`!mXt z_$8u)7YP(i0|FJG`@r_vH6q-1tRh=?!OgU&A_1-~j3s=|!D3K*Y{i=*Uga|+O=At% zue^uR!z9HGWD`0$+^BTI0Ftqw^P;vuDRytgghb5kotuLly+PR|I`5T&SA^$ZCo1Irr4crK+&du%J z9qtz~6!p$xEZWW}GBGOkRGgK;8!P9$N!2I2P6X)8TZv_0txJsrzYRt8$D(7lsgE_Ey68 z8A{Z8r<8LA$u`*s@(ZPyobU@JaD292_E`q&bvNU4P1o|q;W8fI>nxQ? zm<=}GmdgOx@UNR?xzCLj0SzuS2#EqdH&VWEn$j@iFjSWq+{Xs+Pz^V`dXd)_MRodt znkI>s`_E^`^{bwE;bzMe8P9sm?bOgky7>L71DeZ+ z+FW|C?jV6i4u{2eFJYfcdvt?Js-Lrm1g%R!P*IWwp*4ahza7@U06RxH5yP1_4sw^@ z^qYRllcB?{BRHz&z+5!%#gm(s_0X+lxz@dvpuyl<$^_b);>#0;h4U|=1W06 zt%b+oH!Akq78h{M8K5RU7dk#2%~1w*yOKK{T-$Ge|G#7YU&HBt#7IB>HbHLJ_XCsP}8vHt0#ZBO^6MgxTGj9pg?qv+UKduqMG}$5KY?A zmc~RXF_Txsti&c@aZhMX+_fLfA||C#G7BTzyH&cfTW#MR=bC*x`+dhd>0GY77{<(6 z8C29}edvpr#bvs!@2Wa8i~!NCwRp0z3x}(<2IR#?ZsYDCC)(E9s|{P`kqi9rV{}2_ z`hr!L75C>}uTs;oN4x4hgY8YAM#ovd9b{bdWB1!QS`eI2^bk|;&k(Vt{$3R?T$S54 zUb-j${6u(mN{*=;KRtN;s+=|KvLlnw63VVv^!o@L^HkR=rCnIX=t@uvYquvAaN>+X znL(ZOo8C|cyg1^uo6_OMGV8H!KHj?vI!9r=gah_oDzw+_ltEJ@Pb`Nfyxm@D{Ev90;p1ny0KY*tguAhsB8Q zd)7F!CakSo`K?Zdm4Q%CPM!wCvWH7Hc3;^KAEI85ikG^rx6=d~b)Iqn=7(u^*1(Su zG3%ubjV?Uij6K-TFWB$@4>Q~S!_2Dk>}UwYU|_{-U|{I~Fte?ZrJb6ot%J=!deLnX4ge6PqcJv-IYrKtCD^cb+o_2FL1v*Rl zdX1V*#AV*klba~;rqO2*!ymcSqBT1N6SI@0bf|7j!J^`l(%ZCA(GZ z$<{hi@lXN3Cx0OX4R$ooM|-!;I5I}a?e4jqOkpdeaEnR+vUy$E^d$z&CyY=cAlOQ? zG4ZGHm0h6ccF|uxQqGE4(_s*&Ek)*sgthjmkcs&H&APeaUt-XgkI@TJep1aQCv4jX z{*9b2pTuX)=uXNiw^oW6kLVYB!f($G?v?lN<|79N$;v;OzwA2;gpSjUk8(4Q#0)+V zCu8wdsc+ZI{pJQw&{6QHlD%1Rm;+NcDZ?()95Ik*!17i}sd!McwpwiMYHx6^%Y8x` zr{|$xYF1(R0z66kkgDO1RPH1azAS)ZbhG-k>f;j@z+f#1gzg+Xc%uM!R2m$GZ6&|u zhKc8GVctW};UhKiZ)pO&^9;+?C5>E<$)Tg9kC5ZzX0pYWU?0fsx4Tk){a5SX2@4Y0uu|b-0 z^I-`nWgR!=6e2`nO+UObL9-c+Lot7vwymRw1xsgb`E6xa1Lm7hIpp~YR+dqZCWgpr zUHIpkgq1JO6g%6qPE?(HE+kK+T1ti7nM={PtCyCW?Bsw60eb#o zjKAqJY(4VbG>=DV`Zt4;AG`!Xv&K1!g;6FC>u-&-mk^^>&Md10?sAbW9};_v{ej9I zYP^Xph;bQ>nl;nb_R=^tDCvv(-ZkQ@pP#?_PwN0kor{+Dmym0<>yH8RjykZI>$5DU z;aH(2LxQeWi`e!2w>_D4dIAg`I^P!AKCEGKD0YEJ;h}OAy0K9?NF*hq;7aEV7alf0 zrO3SotuiYKPP_hWS(7O*dZmP_-vr65!6b5p6xOy`WKL+wL=C9Kep@wCr_lvs+tsM< z4v04{SJZ-C*0XxhgEmi|eq4r{vVuh48s{yVK(|cfJKUu^t<~8~YrdmPU zn*`VEn_}2k8wMfc_XheQ{7OZAhpj6j|0Xqk#UAZJ2=2?}4w@AX-$07&{~R(+`jr=h z`iTD_IBw^{FG4}|!#f68x_vqunTX50tKaWN6&P{*bV1<|dC{Rj6tP-bl}e1H7chI}ANi;DMT@iC zSCSbzmmGRFPz#6FoW)8+>)?!xWYCHF>Rtd>m6`7s`!j6e%<+jSowJ490tLFUh~0)o zCX8dvp?{L18!U?NMA`W;Wa?$Ez^`Eb(-Hkh7yA;Y8?I;aFm8f?&+O_6i8Uuz7*O=r z=Y&vdv#MfE2D>2#6zvT|4#aq(Uf)_1G#iKikQ*NCl@z%HcVYlY8NZdFH~^&eLrP4a z0&@wJX%?6-lYj}vRg@O~5q3CKcEtpX+!j-qsIm#)eo8MTav8DkCO@KKjgnk9PTDcp z+|JlaZ3+1fivwf@Op?w&nY@$D$<{mqkIP*0Jp6gw zJ^g_%PhqISl*b_C+b$U02OZRBoR_B?G{MXJ^i@pW8=fIg8%Fz(M2f^;1Jp#T z)Cm>HlIce3Wq--MMbeJ})bGQE(?^9r z=_FX(TVh$~Fv76B?6B8cfR|z0#eqR?^pWU~-&z{*liqN))nF$Dv#a8>)Z)JdQo!>Q zH%aMy-AtR3c0L`nz_@wAh{!^#?glO4DO~a0*xRadYGw9rj|m6y_jV6ppE(zUxA=F) zI*V#A?>UK$22TY-e>0!>CN6(v1QRHsif_bu1nGET1Wm5u*8}rAe{SOL@0a5e#4pcq z2VAstlwN|Ve+i2-%p(Jk(N5GUhI|N8X*ArEI613pR1w~*&5VYSyDbh-H10`s@>27c z!~S@(cIsoDLqvx*Yu)=QO}J|!l)eM4fmEcSc9-)3{|;vX%U|L|I5VX~fTbXjcxB6S z4QjPUrG1HE+h1~n#8Qnz~p`i{kLf!s-MZ`=!ZTW6K*|F%krpLGj#U_J(5+ z%QIz?l6>4%dRx?}Vq>L0%|4#LvJ+fBCF@zfsHc^oKEiKkJ+fz~Qe3B)p00j28}C1U z>a$Pf^>Jp+sE|+RW)L6BSzIpV0rY4;zVb9_43Si82lZmH^wM>Py(x@Us~9X=G^8K6 z#*mQ)?1bDq3QYrjWXv)5-#ue$+V<^OrTp@E_U`+0_QUzOmoIEQirZ>4SnAX3;&%9osd1RWPXCL?Q)AQgI-tP?ZCrX<9m}3 zZOhYS!qa5izmlp@gx?eNB0Vufz!}Wt@aFJIk^2jaVsebeF9B zvC6I{Q=`)~f9HzR0Z+f41_d$kY$q>hcl2BlBx{oI43FTO&9Xu=O+RVDC0tV^1FO2y zOx2n%_3`2V#mo20_w~pgj;Zf=cP~C=>+U%Xbq20=E zT276)8vLqsGm(F8ym$db3Mb|R;;y3!sj`EzW;(qqMGM9!k@;_bn3BWpAvkMl-O9M} zEF*jg>|P{Eh6&jfcYM1Tema;&G!`6M-$b521vU%#dwHk?nEIIT7FiYD zS_AGpuDr^s*$AC||K0{Z?oRe$Z01dqH?;JOq!ALXYLoecU zwb~vnE!#Ft3`jR_Kgeg+Bk~4o+-@tA-p`im^hm~=MR)C)X*QTP$eOzo^J|SprMu+6 zd!*Q05n<^Eyvsp{$X!Wct=WEmUVS||;iBn4MqqCGQCaAfB@K^|=E~)cjF7f@_v?r9 zF1E^BNnxM+(K&wv0yD|-Fwe^v&UUl1(GyugpY#;sUxq?=LNC0*u+{P~^5Zq{&F6PL z$-rgnjb*pm<^gN6%4TtEPi7DErN%`T+wqB|Tn-?hkR=zzWe4}))i(qmsL&!p&QXtr z(VO+H1Uyc{FtB1Imk0G5B>n{1oYfgFc!r7)c0A^?G0i2PqpujzFm}`t4cap`ap!>t zhaKQ~ixGVPVMB>6I1n-@Y>T{Yr^F2_IGYDC+eTs?O}f97>3E?9FGD=8>R+z+U>VGa zWr$4kAh9J}hT%G*)|~=n$0)l0E?VBOcv_wm*h&zGI{%l=-Gv8@4tscJn*QM~k^;gs zcbwwIVj2P$;Uz`xkzN@FffYK85$QXEVbp?nUk8a0gdQSZ_T}SS2dCy? z@fq;HutOENm36nUlG#P7*)CEjheLp1%c%Y#ZL?!;pEamXG=<|{WEVlx+%&9JcIi*R zNh}`B5Eh-M*6YUh=0o6)tkle$LpINiOhivAOo@{3clyY2sE`9_iyXKg?VsI1M(HyY z@^50g`8j7UexOXfL(YrP`87RYD?3*U9XJ;~%DE+7R0 zeX0J{7P2k^kiyJ$^F`0F{Lavh=$DsK6bku{l-|w67M$R=;KVzPm1uJ)gF&eOJ1D0I58ubA|xvXeO4H&WP>4io^Xm2p->=Poj ztOFDi`Od>pEH~YQGOEu>4}Tz1C(_awlA|a+`RA2*su&0r%eB!e;D<<_IsT&gj?2hM z6o$06ou1%x&B;WflSD2cX9V%49N$L!q1h374TBw`9Ub(ALW~)15200csf~Z`)=MVR zwEP@>XWnPEV`Luu3I7*wJ z-VR~RwN_Af=VTnwu#`qP;*q)`VhBtcCLA?U+48S#oK%e~$b{`W5UF5NLSCn@R?sjE zu^y8q(y@JL2Cp8M>;6V^=+X2<6~?QrZAaQ(tbSUEQq$p6E8yzn`py#6rrSDck8{|< z{-k+;v0*JPwaTwhRXV14+?PzXrM;Hifb2Z}gj}1zp`VIJLSZ86^60BT4G>W?^=QEgoSF^hFXqJs#l-HrdR5g_tc*jdOEmU^!0)L*Gz zS9_H#=@EVRN7iSf)|y!5(h)_865o2|j}I`ClGw_DA)#gRm+}#Go(_H1H*YW(GJDCZ zvjnRWCSuO^fKmDolRj3!>Ya#gH3U?_H2gF@`Q)F@pvLX9$GP>iL>%+Pw^S^0!s5HJ zFO7&tq|J9!QmFiSJW}DpSv7x3C02i_f+ap6HvqvN7Bhvm83S3vu|RSPI%BOtv23@m zbg@McTmPY`D0}N%ZTY39G<(riC-?6nX`zCxbHyt4wuz#8*`8oSSq3)?;?|KiQ-|tV z<3OeO(|G%!XC2OaWQy5))kU-OZlgd5e*ZBs zo=0>Xb_`ve8II4MMj9*wvZG072azOmO0EduBQBPo>yvU8b-3J{hB%k%xRma^Je46h z$R*K|prHr17d(I<7*N+AeKn}q)y#2E#3}cn!3mfhtvY7vAfU)=Kg7JUYx_C*65~@o zweR7sDw7p^Y>M#M4or{-D`p05QsU*)a}$Cb$IMNl?!Vu9V8<3#h7V7>+_3g~xCOzg zEJpbU6)sO2k{O^8W()W|J-R$kH;QZ=r3!T65u+YJ^49E>W&1>9R6Pr{D#9z&tM`nn zXpf=9F|k9Zw`Xo!*qVsOejPZH>jWj}WwPt;p$n%nI_XAOTa`7M8as@e2Xt3XCa(rB z@BTKemPH@Uy3{XA`!1PE^P@3)c5IRPxQuPAkxjIC%Ji$zfoQhrFg7^tM!#yg;jg|ktM;$`1-J@X>!!mUMf zV8G^!Wlx7`qojsdz&9n1sHf|N9%$eiEf;=!N)KuNq-bCZuqBO4?4rZFRJLe2tu#Ns z<5|C7|)5P)DbLk0cZ}#n8;!^8x$9H-1~f)ZFBZ zsJ!BGJQR}Hqw9=EI!bIK_#CY9n5fLLTIn3w{UDxK+Z5BxH8&vrK$%xt!;V9oVkvbB zJz^EPBmLGVP?5dDK5U#I&)wEFVL9qcbMv=^cf;T4N7c;Q^x-2ev!9Eu37A>ErxR?$ z8S45@*aE=?#YqdnsC>rrN~q&$hfArm&19tRtuDGZhJidhR;3<0?HZSTa$?_x$_Ue{ z^y2SFZQ^He{oqi}`w}u5fNV+0z>_@0WyjZzzzsNAr!pQ$HF#4acicd)D@wGGdAfS;fkvQiaEm+I=wYr}r4^!%888=g)70!6`X+iV-`e#HU5whkLv80o}C5r*2 zwtCF_LW2B9egX+XOuTz0aeKxi9SIbTA{$M9@IibDZJG`ANjiVVf>TH$%d_U2S|SpY z3HUh%LJ|iHtoiwYYr1_8T^>3vVREiJeYBH2@A`S{-$mZAm_3vclihIzs%Nz6oHh$1 zWswCYXtFJ2gL_UzN{E;wnj#_TVZF-Syq1awy6BL$27H6)#To(WYQBSL4m)90GTY zTN0+BjEp5<)+On9Y-`x#yTRhKblE9c+@Lcco_0_qxWMC**Un zM*XEG>2&O$7-=O?6mfEfs6q`iUM}XwMFSUv&Fph-Qm^giMbFMDt8GJ7`!Cl#Of5>K zB`LU#%+gjoR|g9!agI2p%{d9&{|4X5Jd^iaDcE=6v%5^*t3KS4ZQ{q#&&}&vB{PB- zXp|3JWnV#tvc==&o>5Q zZ@$*1zBQos&MM{-gQc2h43TR?PTztpk7S8adwWxF?QSul%_-UUPJMe*-`|e2PF8{mCW$on1RN)O96Urcy6nn zgmCqX%^|M1MC^DY!=o|+$YYcuJ#^I(dC)0CR zVAA)-yu*3IEv0E!S`b`#b+Bf-VSTlB)VN4C>;+FN*|}LphzFjKM$M+7+JHS!YS|_U z6r{Hh9E=-rLQn=w?KK?ItTkdo1{@ROz!KwkeqlJSFN<9IX49pHmuoY8A#y(O$Is24 zo|g2(um__jcoJcw={I45EKOQB zrn3C_=qJ>3KLqDN<>prDGmCO95IM_$6SW5F?$#)GmHhcuwln4Yd6CshM3>h??Zir~ z6PF3+l>RLQmrsitwKnXN4Fngfr=~NDo814%nz(`xUG&qO1@cvfB@&1W#I(|6bGnT6 zduA$T|7evLR!BQ7ykVUoO%8A`=L)2_w(GJ4dL|I778c|{=1iVs+xnt5@@*v#k6-?g z6(>p3_@S#i^7o~apKnL8X5vcNXTehMWPQXT9LKWDhanK)0O-vC7yZp%WEa-4{ zDiLLqqeK`hqAX?cLXouE-?x|)9+e+noX~EVkX||;*dI1eNX8bTv5Oo1m-T#u71osX zw**t#mae-h?yEo1WEZjLN#(I!Hra#WxYH9S}4^Lo$& zEdtD?If^hI7|=G{F%P7<_cX^$Bf8(03C1wM$$$vOf=lJ*Co|?G z2pZz=ag-N{=#S8{iXP>v#e+se(`OG&&#PtPmEhzEs*fs_nJM8891-#?iAJoU^Ca8Kh>}ClcoKad=^3g!S)>kkcvAJ;pWP zfRjO_i2vDo$DUSqE}1-f0tH2e!sx882{~f@5I>IK8Jyh}Me=J%OYY;uvjT;UN?9f& zAEE@5SbQ6Wua}wxtVd&5iRjPM;@2Tpph;7Q2dDBMG5_+lpOjGEw~m*`ON}+4(SPef z?I;Xvh|Gf!Dz9@dXw17^h_c&;n5tZovU2}c-}F+I7CsGjT>0}VRLVu~4-us_Td1}O z*OTz*SHw<($Gg61%MOFxr(3`xpWG3$$7Bt^z{6|^Hcl1-vu_uo$${c|4NDBst?4{z zbjJ6mjWeHO=ADntz|I5>jdbO|}1=_SU>sIUMN`Kw+KAJQ}J z8lO<>JjbJ=p~W>w#hpGDue^FC)TB3XU>3IffEuuQ@7T?RQx2< z2TpRg;9S3qQ`KEQBuH5 znoo8iJPF34)jHfOwm=Nwe)FT`R(FNBR*YJM(cq;zpEy$kfzoy(u8K8cw(4-W&-W+f zIA{;ReD0mK7MR5~G`SC`8B@qnk4bI{+h)g*o};nN3c8(*GTj0 zP99)))XcmTVK(_M_{J(AFS~J3kgs~n_rC@&hd%-Ra7)|wXoCv5G8a1pzfza5F-=qq z?2}~}=SsGYB=pa?#~=3{p8KIUDYSU=8q~6fZ_ku`r{!AoIN&br9CuN)$OR56Q8u77M`S^_|*McazXHzg0Tw7YcD%| zPj$XtPK8)jU!!5mNcVHcs@YmN+2X@Rh0w_PkI@q&mZ3gGYsFD2i!<1UYX11w3ye2s zNV5=KTMg6zFORRiI8$mm6^nnU<7<3#A^LDrcP}4y^i}gD8s=Ts5)oQht!;z#J=_mN zOm5{YgM%%dE*njF53{HSO;9y_i%Af|XbGmI1p-K{cE^$RBysTX*CYHn*bXGZN;`0Z z6PXLrG8yc@vgIhJ&u%8XCci9BRF}X^`B^?&Ml!w;$UUKH##<-aBQxu&Iib9=)AN%P*aj7zY1kqwJM6U$nJW9&cgB}RBy9x`%m-18cN?|Z|)smZ@=vT}RSzFa$} zyRXs!d>?xU^95@X89~LUq5i5C{%(}Fx-H!@nUOGmMd_)RL#@NGgw_3_Ko(cD6gGMo z$7g8i<*IXmTsY>m8@ikESwR{9+??Q+lx2#AK6nI!2GEwelkjixcc`s8=F%wot76ypq3S6%82b@XM>r-Flub0nw)kub2iNE4*SqlUB!?NHsu2`MAhZwH{2U>7wYii$vVP(A%k&js zdyj>&u3g`}N)wx02xLNi`4@D>N{+yuVb$3-cX(M=q?C2|Q5BQ+CC$#ZFG=l*jO6TU zkKuhBJd#c^SP0)zAX|TCvY-zV74(|L`(Le@{dw*$ZyLl#M7iq<)OZHI1|5U`maA)_ z-~{Gs62jAr4gWl|Yy7r%Gg>1{Xq+G*7W3h6DSvMxt6AOMy3cQDKkiaPXA|qeuSEDe zC-z=>yji4)Lr=P6vQ%A-sUCzZS>-BNOGWs)55~DiQuyVY-A9Z(L?7h+--h{@4f| z3$hD|#(Aex+XMW(>rv9&b*natVS6TGB%jZk-7N*(<$sBKo9e`ww6p>MuMkmAYhonW zsKQQcJJHPh)X2F z+5;T*1fIkg#hkqG)OrX&U9g#~icvKhY^sGeTg#U8D6#{=>*+5s_S2}oY@ia-5Eovn z6pi8^!DrtqBA<<~88$?Q@01Ed_dudGChLTZ;uOsD$;|g4%=h4Yi%ILy_iJ_9JR zr>L^1<8pl1g3Re$##?aSkYuOO=qf%b1haII{THal@m_pip0f{F6JOQlggxS8(QRH# zHV0Iisd?Yd=3Sx^8}PDMcgM8Sm~Op4CHivNm3zHYpCodpuEPF-f(vAWOOiEqWAUbs zG&UM3(TB6)%G#&V5Gr{9tfD7<9Sx$iT=935H`Ud1F*xe9E!k3vSz>Qu_~`?2RYzvs z$3Sl6ufhfICyD{OTrr)Lq}b$~$T!zQ%D_zwkuv#zZuh2qoc=mlziqVHZPH4+Oh?4f z$K1TzJezgH56YI#CP>oR;5q*Oe6)6{9P#46*$E1C>w!tB=ZShaD&r~>LF-LkNH$GB zM5a~Pdo5LK0&SC;b@TaybkO(xnk00~5MP3r3X)hJhaUmBlTDuQukVBFlZAa+2Naa# za%mHP>XuYe9BAqk>b@PnIBnSvBnY)yrAo0pU?$hv;>zyFI>QMaBSeK4Oin>1wTnH< z*?}@;2_8$U+Lzi>4946r5}k~a<-e=-3}+~2?NHE}z79MiPL?J?V==nMM!^U(Am}H9 zsW8Uw(;NU*mv{78jGtWw_&PYATOTjKUN#NLdedZw3#YgoYoKAVqI(exz2^1zTR$24 zXZXJZ7OzKk7WELMDkU4Nwxt=U9#8w8`8pG^fRxQ!0HZVoV`2=-D}_~ye=j) zw=Ou-B1uo3CaI<9*Qu^(H2f2!ioKe^E9ns;6&M8oPwAjX#aO{{oKCjYrrOR%5E|8K z&ps}NPsy!l7LM>r<=wBEC`DIJvuSBGpT6|B0zVPcd5To1ePcJG$4&aG335dq!)G$Lo*`+o^ z{_SD|HIJkI7zfm~h@sO`Ds0f>($?hW^e=&M@6K_E(<7JLF8}2d76Q-8aor(Yszs&yfJj%$7MY!N zwG1HTd7(cI>P!{wD1$P&pvq9{t0eS|39bF1S^jODCW1BUF4Ai_Qo}nuu!_q$>822{ z+V5j!9VGXYESMGiVVLbnv-~uBygF}(7iYpj+sCvYhf_MJGMD7vC+qpaC^OSFzhH{b zGoX(4-gaFYUEm8J6pav!PExB!0YK;#uwM2G(ryj)gmPJ}?kL6rRc3YZPan)Yg{Bwe z*51Z~C4-$Fr{#|$8f~+0SM5=A$KZf*B5F;OmJRB6c;*hACHo?Yva|enjoJQP(pyo} zirg=+>6W&IV}~>){3X&ry{f1>-mWBvc5E@nj-bhBnhH>U&-X34!XJJ)arYD~_9@0@$*<-ZTQD+UsqYG+{wv+Db+p$>`(aSf{|G$Ud z`EhDBG2j_^5`ut$Icz1%!Q%k>b}n1oNnifz&qPX{J4yT{9uuuO0){nI?v%CCti9uz z6*cQ6fl}iK8Kjs&53(nXeV?762@o_&g&2GatSTz7(jc++zq>#mz=MFVQvgNf6|b$- zR)TI$>er7jm#^xTB*iSYiv>DPQ-k$lqM`r}2B37&vuf)apMCRFq6=7R+}M8n$Fj$h zJ){4l@q}pm`Kw9=8&j(n`{!mI{hzph#sazKc;Dp@xbPM7qDOxeeL>|8Z_>Tl_(r4IH;Q^q4v5t5_F{zISk@^PauMK`@uec~poHqpW&^yo2g%=L@uKF}? z)R|{ph6knsNlUU|>qdx#{R^ENnew$?e>)K*);rBjk(XT=?wWJOl8z;#c(iUHnZd+n!WJCXngf;5>)H4 zXv1E1$j4~J;cbF4UPY4Q%IlWqdPqF!c#~@{!G>$iM@gl;Uc+yyHe~lj%$j4rfp)}iNE%!%u|VUuL4hwz z)6IHnrCLpyjw(onI5 z`o!|gd(tB;cCR3CBcDqynX|t<%DxZXVGVPRiFa#9HVbV2j!H(s)vlIJS`3v{b%iZM zMeBXri-3IYi}?nj;lvAvJYw1d91n+VnuuO6N*-%F`n;EJD6_dt!Z}kM6rK)GuAinYQ z^E0exYIFWE*TB?>U_NZ61?g|zj$npXtAsRFF*QI=c3q)g#c0(eXF>ZW;antN>HsXg4kG5!|v81;n_3ZYz!^x^%qiLmti7j@= znbJ-3BXmT3!EE@a0ePx3>jYfY&wZInM~_rED#F4pl~D0jLA>C$#?IJ*-#d1$ywle6 zpjQCL=8k{5POg2|&NWu0nAhzMi%7t z*dhCt>O44uwz-o&Pb=BT(|;QTQc(xp z@&u6^W%LdLXPsb0JD`~QCie~2|Cx>fEU!3RA!Gxi>csE0fQI=6Q9+p_x$W}~p;CL# z5Azo?ph)TT?APXrQd+q#>07`y?>;-?!R|N`RnK2I{EH0bv1mSeT>-BT7!Q@i7L;=X z#p8otH^1WSIl(?@vNIx^j~5Z#algN&chg!`6&x}I%-91o4zvX!Qz5%TI&APZ=My+u zr??%t&;q*>5w>F&`*)}jw?{Tv(XKdHm3Nle0dz3&s2nq+(+9YU?|Lnqm7V?HB+pK2 zDwTX9Tz)e!~*Fq zyM}7iCGvzpgosLQUsq;v z!~9@MsW=yBi0CAftcUJ{I9;H$Y|!_%FQ*^NkIcE-u6eNg$?eRJ|j5pUe)B1pbTAI z^68f?Vc?8qcbG7Unq`<@1)CBTQvq^FbvVSsF074{6^>mNb40VpZX44jgbr&WfX$28 z>?;-=u)8+gM|RDNRfP)^z@E!%5l=6|EGzKRIxMzp7@ z5+Tnd1vnj$=3$KgjeCw@Nn%1{N5@@OmstctHmv zn~O;Tp*)VDGXak!K}Ed6jf8%ntDmx@AN|KQ{qN~|lR>$f!~N3GPCm5&RAZ{wJRP0f+Vt0SNcR}8Qc`sUP02X1 zA1iN-&QqSJ_@g%JN4IA_wH$72vMZ)&v;0XhDi{v>nV2eXdu1)y%K2EPc?Ov!4DTm8N7L&9CLy@V>M>q+%fRmYlP@E-&F}3BA zYQp^Gqb6&;^jyRA8=$|mG{0n)>a!-FcW5ydb>MJ>B!#-YM}v&H$Ea?>7S%{EUA!fo z(ZWE7pR8F{?ul^*7e&<=zhbk>b`~sdinRLb9$d3+w~d_u6og&gj1L1!8E1YfxztE3 zDMcu72>sN^`KJaj+8HHw=^Qj~pENr#W^C!BPG8vvcg%`HxXgVh#hsV2xyI7-cYte% z&0jO&ug%yPc5|8Gtuf%PUHvGxw=RJVOoh*BIp~Z$N!EIlE_^>p9WD*jcM0L-^g=C_ zCyPILddR>hOuDcy>(iA_-epyCJcTMosMW$5qmp)esoMu$CoT=zWXy)$NU-0yjqAU= z%h`uEJ_?i22o#Jr(&mFO9^XN~d3gQ(-cB4c^oM@|!8{Sbl%|s$>%cBQm(H?g3V&EC z;KGtkNF(RTo+hv2(HmDPvo6?3PxKIikA}%oli400GM0!cPa>|bT)P~*IQj998(z#F zMdynn%o|{HGVL+k%_&>ZL!DNd9xM-WD|6awFFc4Ln9hLT5R?|ycH*>-S9@gncfxN4 zKb($?mt%kmdzO{dr*)=1Y_)OX7}3VNGqC$*-{n`oC9r<^=nfscD>`Z} z3mt)OC5(uBiaasoeY?N&Y2LLnfaBE1KswU%VxZ@iTxHuDluR*G_FPhvczx&yd%3GQ4l~V4k zZP8?<*73LSbqkJ;$*RSHx4OGQZ%vjYjp_$1q)B#V!oshKJ*Q^g@j@5gtAWgZO zA-~gM1nak1w&1|~KiZUTox|Q%hCvDgM{S@LUx&tLV5_gRB+N?Ny!EMAiWN8XtGNJd zE5SmQO#!C53j(bnH8cY*uYl#zi~0ahEfi{GRuC7}m@`pBbqr-P<*s6!$4M`&MxQE9 zvfPf(WD)-@Xm_|o6QApK#&@oV%BZ{cUU}50-qi8ifSPK18SXOxoo{eJA_cLYiyydf zR1kgwo@j@oX@wFg(Ts!L95VRR z02VB5kcZhEe*Bc(>c$Ub5$Jv*oMgbHa&(vo!zD?v!2*vW1zy)uPS!Si7LKp)c!}~X zl$!V1q2PkXW#=f7qv^PX*khWxu~cfpZV%g_>iF%e1!17%mcPL(8BK&C);8b!w+2QT zY}7dXJTL0AYd4Ur6SqP@t{~OWu2tgF=`rjowPsmQO_ z)pistISEq|Xa4Fh>y19zl8_J^)|xi9HzJ9x#yK}m<^^p+P4Qyf12k@eTTGud^i*mS zl8m*(q!+0py?Ek!aVv$wMSAMZ6Q}+V$FS&$j$;9(^R*4J>crgvsgn&u4Bt>azS2Sb zKk~~0uSgqDbDwra*j#3R3i{PEEy`-(rByaHY3dnTDCM+z)W^&XHh=wQ|K>i0`DeJq z14e0cNj|Ni=c8`?0bru^8&YJxz#L+zhJ#^ZZ7^tgO)m!jKKd)QjfKfNME*iIx7yXj zHDt-^biH~i&--X{4Od+?9`h?cw`!xK@(}b-f#lhg=b3KNOcH7QM&^W67nG@0=GeIu z#>eGfaSp7UA6RlanYK2VvuH#uhApq_Ke`zeP6#Wa)x`}hm;fr(5e^-D69=bVk z`nlYkYe5ym(L#sYtGSUjHY%qhkn2>EqQB?#xn)1gT#P5tm;`F*HnP_5PNCMNelSfv z#Ism{ws-5)UeU>hF4_$oGqiuq1WaZ7Wb?P{o!JUfHQGvKa2*JdB%%*_L1ZES(J-~% z@~6R4hvk(BpSR^n$^Hu(ZqPEG+`8El#<~Pm8Gua zIMkg@p}7v;u>MLdrktJC(32+2Z&yj*Ig-P2kIFx7V_P(V1fRJCMMni}w4`S|ZGG-M z;8z^YWCKS>)Z#Ec=Y@Ad>V-R^9N&l#BunQA5%~*_w2kB*PEfJpHLhS>Se&~^V5u}M zXpm{rg(Dk~*_%DH<@;xq$EO;YggPZUJOTxkwNr+Q6jhhq{QF(v64{$3l^djnT%}oF zbB!-o8P39$#CI6;R*{?&23AWF*a{9jAneAlXARD6=ZL!cS5vbzCEJ{r`0E>wk0r zFfZwXPCvBv$J|r*$1t<#b(8OR^>H#LYl^AYdt?^93mmZa{KU@3HbnWHb;5-&OO6{h zgA>8>RgdE`4gli|7#{Tfi$ul7+SUBq>Z8K;R>@Zp7r6(4*|sROW>VM2t}%#r@U6#juGXJUm>nqw6Fbk*7H zTX^>u{h*T%jb61=XZ{bG-||~-Y{*Y<6J)R;B}`pAlrZxx=rOrCcevVMgfjMZ!A_n8 zcQ1Jo9+uHs)U-HMxtq zAnJK2J7oc)222|(ujJt7hV~w$pz5_oLqc$TB7a*!%!;{@j%|>_{`+EeRdgUN zc3&X>)j$@HrYT@;-?*#^fiy|-ut$lh04|04-4byX}{{R5b;R) zPgT+ap}0G|p@44eq3wPZgKx|K>YPbLzgL*^Q{@;b~E5!;%PPiZvm*y5Qs!Bg@{}Ek&VI7xE555 zq6@c<*`w^!mzK)^1o6w;oI$^{jFKk6IU ztAlBT{0R%!SJFd5&`DFD#}-bbU60Z93ByDTni}EMHUjYPW?JIB-x^&gW8vnekTh>l z=8gzE@Agokcz7-M%_kU?uowp41)p|BJ8FHXHy!_7ItLbXCPx^O9}M%J;dk_i^C?4= z%a2$|aqHR5eYv5`19ZxkIZ7{oExsjWAKzpV$4bpr7=|cFEws7#Fz5??`dc%}qEtS~ zL_M`1)93(kl}zHEOwv5^kJo~E7_ZXvf@GSy8)9OoBoa_XsW?lx4l{J&v7CwGG#_f* z;J(eaG&4t%>;^^`5-D&~M^1Ud@K>nnJKVt8fmN4(p~?r6^UrT&zHYPTMeSg$k^CLy z5JU&OY|sq!50N@0MsXgeOi)?mNdc77I7;zFhqZt@6XWKJH|E=*o_4IHsatA#xxQos z>@t0NBY2aU3Z2y3I|v!|D`mNbcU43!<-!ES+6osvCM@6B{_g;0^3dnk!bd$kGuq`8 zMn&vt%rHd8+}La9kPApbB;ygH>B;W0w9jjeJK|4AO?|#kb_vK!uQ)77?ZqUwMxz)- z7#bk$9U{loCKCemoKj)<5A=K|VZRG5E!}Yg=hMJ#+wywNHDfGM#nj2hf=ty|IL~)7 z0}5bgcj{NC=2drjZ7Nd3!^2QG!mYDMRTv8 z&cK5$w2R_=6o`&p)`M|8<)FZ3!Do(s;^giu>gAMszW;Rcko=1X8~eQdMGG#g_a`7E zxwEE(2-N`ZoNFAAIuu}r`8TX02l9Jwx1p8O9-j6E!<(5h(YLt^< z?wN4`{WX_u4(u9l|3K_}l}($@@g8_-1h0Mlf`<-$C-ms$Yr;H2wVS!rF{*Q%fki5 z5duJxd^j{gax4Z9jh`~?pLwZj)*;(=Q+kExX6*&S=8#X(PW$4wuvaQJ=>eeIG~&?x zEdHNPKkDbr>C64;^+O9^T7bO7-$2~80_N&$SSawVm@@&+vQzVnaDE5kX}4+SF%jSN z_{~od=K9lMBcoGPo(wCH_qcwP9(U&K$Ug@pt+S$6AH?e)+x(h(W7QV-vTTT_5efl4 z-&RI{bf@ozR?P%2;uBa{HUJav*#GdX&Zr%xf{0DB<9eWm+z2ORmweEfbW+bWH_^dH zE@lcvx%K=_Gk1v!T1cd1H#OkK5e8l6uRK~7EH}vV^WTkXXVkmii*M3PKl~^)iKGD>L#r7IWf9CErgdW#Az}8V@hKeHm{uR%vEa-_)y5*ZD zi;*HdL6rPJgIW>WRz&el&PIUUWHiA_q+ORBL6k2Jr}6T;U4XJHqw$*PLyrcuRM+#( zFYDZZmOk2_1^fZ4Y3Gg;6b(eNaQtlGB1tRMdn2489e`IO{l&Q1EJi;=TN)0+2qJSQ z)*yvXMmY-xF4QESoZ-OI8_UwMCF#Tx==5hpk8Abjw=hLIO5(N0ZwODFV%(~{sLa2XU=RI5u`1&y zAisa|r~t;UbBedLmAhwy-adh^;+*wFj-I21$y^0@g zA!y!!;e4SG@dbTF*BLHK*PKQ7nG9W;KidK=XCN-o@cD`8IF~C02!?{*BI_~l7&m&U zuuf7CMzUKsGHzF%cxH@(6UxCn>!}+@K(_{R2T+|LIey;tvTqU7!mf~CdO@t3M419> zJ>{y|sOGO+H1*#dK@b%FX?!1gwI@vqee##Os4y&X?8Y~@4y!WzOXo}(!W3~WMxEau z=w0Oj?GZ)LeD-xdZn|~kCj{RqQ%XZ@yM$ldnJaW+u<>BD)tdwhi^ueJ% zGIk+Z+LuV92?yp4YP9;K+PBN!3Aw6ne*hZFH9D`?eNiP`tNs`Fg8N?cLQg3h`;+P0 z&iu(!H51V5FR|Jx#+E@{u7(LGV1d~Kz_dX(XK|~dai=|=!RuvIr*W01Ez2)G=Szmk zTkLo)`kB<0&l;PC09~;y#EB-iP==vOkiL>^cI^5-4BIRs&Ni|;jL;Eq{y&3zp8z5e z5w$MQ<(zC+E@q5GITWanrl@>r-QSBn5+%fuSNNoSp`-l!i%Gy>ur=QSuGz0 z&iU*8ceU*+Q*XPit$#{mo!;A5ssLxzQ+&zE&Y{~n#U`8Lj+Vqyjv0HtnQO-^zMq4B zVB)O|1;^v7s0r8CV+W6vVq5Np31qtHJ3HFK-Mb-{TWmf@RFF r|K+zdIgEyz=>NQOJ8Xe~p#JxR`ab~*Li}HCNZz3#hti_`pU(dSMJzj= diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json index c8f437b60a..86c6e1b544 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json @@ -166,7 +166,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \nThe query tries to detect suspicious DNS queries known from Cobalt Strike beacons.\nThis is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml This hunting query depends on DNS AzureMonitor(VMInsights) data connector (DnsEvents VMConnection Parser or Table)" + "text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This hunting query depends on DNS AzureMonitor(VMInsights) data connector (DnsEvents VMConnection Parser or Table)" } } ] @@ -180,7 +180,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.\n Refrence: https://twitter.com/SBousseaden/status/1286750095296335883 This hunting query depends on SecurityEvents WindowsSecurityEvents data connector (SecurityEvent SecurityEvent Parser or Table)" + "text": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. This hunting query depends on SecurityEvents WindowsSecurityEvents data connector (SecurityEvent SecurityEvent Parser or Table)" } } ] diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json index d032910f19..bd3ebe718e 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json @@ -107,7 +107,7 @@ "tags": [ { "name": "description", - "value": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \nThe query tries to detect suspicious DNS queries known from Cobalt Strike beacons.\nThis is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml" + "value": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons." }, { "name": "tactics", @@ -192,7 +192,7 @@ "tags": [ { "name": "description", - "value": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.\n Refrence: https://twitter.com/SBousseaden/status/1286750095296335883" + "value": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping." }, { "name": "tactics", @@ -284,10 +284,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -306,6 +306,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -315,10 +316,10 @@ "identifier": "UPNSuffix", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -328,10 +329,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -341,10 +342,10 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -354,8 +355,7 @@ "identifier": "Value", "columnName": "SHA256" } - ], - "entityType": "FileHash" + ] } ] } @@ -439,10 +439,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "Event" - ] + ], + "connectorId": "SecurityEvents" } ], "tactics": [ @@ -456,24 +456,25 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountName" } - ], - "entityType": "Account" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "ImagePath" } - ], - "entityType": "File" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -483,8 +484,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -568,10 +568,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "Event" - ] + ], + "connectorId": "SecurityEvents" } ], "tactics": [ @@ -585,15 +585,16 @@ ], "entityMappings": [ { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "TargetFilename" } - ], - "entityType": "File" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -603,17 +604,16 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "CommandLine", "columnName": "Image" } - ], - "entityType": "Process" + ] } ] } @@ -697,28 +697,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -850,6 +850,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -859,10 +860,10 @@ "identifier": "NTDomain", "columnName": "SubjectDomainName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -872,8 +873,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } diff --git a/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md b/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md index 3985af9802..74329c781f 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md +++ b/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md @@ -1,5 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------| -| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | - +| 3.0.1 | 23-01-2024 | Added subTechniques in mainTemplate | +| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index 7a52934d17..b12c48daa4 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 22-01-2024 | | -| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue | \ No newline at end of file +| 3.0.1 | 22-01-2024 | Added subTechniques in mainTemplate | +| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue | \ No newline at end of file