adding entities and fixing up some mappings

2021-03-21 12:36:33 -07:00 · 2021-03-21 12:36:33 -07:00 · 48e705181e
--- a/Queries/AuditLogs/ConsentToApplicationDiscovery.yaml
+++ b/Queries/AuditLogs/ConsentToApplicationDiscovery.yaml
@ -70,8 +70,18 @@ query: |
  // Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested
  //| where isnotempty(scope)
  | where scope !contains 'openid' and scope !in ('user_impersonation','User.Read')
-  | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate) , make_set(scope)
+  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate) , make_set(scope)
    by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress
-  //summarize by app for easier hunting
-  | summarize make_set(InitiatedBy), make_set(IpAddress), make_set(PropertyUpdateSet) by TargetResourceName, tostring(set_scope)
+  | extend timestamp = StartTime, AccountCustomEntity = InitiatedBy, IPCustomEntity = IpAddress
+  // uncommnet below to summarize by app if many results
+  //| summarize make_set(InitiatedBy), make_set(IpAddress), make_set(PropertyUpdateSet) by TargetResourceName, tostring(set_scope)
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/AuditLogs/RareAuditActivityByApp.yaml
+++ b/Queries/AuditLogs/RareAuditActivityByApp.yaml
@ -56,3 +56,13 @@ query: |
  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by InitiatedByApp, OperationName, TargetUserPrincipalName, InitiatedByIpAddress, TargetResourceName
  | order by TargetUserPrincipalName asc, StartTime asc
  | extend timestamp = StartTime, AccountCustomEntity = TargetUserPrincipalName, HostCustomEntity = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), IPCustomEntity = InitiatedByIpAddress
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/AuditLogs/RareAuditActivityByUser.yaml
+++ b/Queries/AuditLogs/RareAuditActivityByUser.yaml
@ -51,3 +51,13 @@ query: |
  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName
  | order by InitiatedByUser asc, StartTime asc
  | extend timestamp = StartTime, AccountCustomEntity = InitiatedByUser, HostCustomEntity = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), IPCustomEntity = InitiatedByIPAddress
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/AuditLogs/StsRefreshTokenModification.yaml
+++ b/Queries/AuditLogs/StsRefreshTokenModification.yaml
@ -6,9 +6,9 @@ description: |
  Also an allowlist has been included to filter known accounts which can be customized after careful review of past historical activity.
  Analyze the results for unusual operations performed by administrators to extend a refresh token of a compromised account in order to extend the time they can use it without the need to re-authenticate (and thus potentially lose access).
  For in-depth documentation of AAD Security Tokens, see https://docs.microsoft.com/azure/active-directory/develop/security-tokens.
-  For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.'
+  For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.
  For valid use cases of altering token lifetime values, refer https://docs.microsoft.com/azure/active-directory/develop/access-tokens#token-timeouts
-  More information about risky use-cases ,refer https://docs.microsoft.com/azure/active-directory/develop/active-directory-configurable-token-lifetimes#token-lifetimes-with-public-client-refresh-tokens
+  More information about risky use-cases, refer https://docs.microsoft.com/azure/active-directory/develop/active-directory-configurable-token-lifetimes#token-lifetimes-with-public-client-refresh-tokens'
 severity: Low
 requiredDataConnectors:
  - connectorId: AzureActiveDirectory
@ -45,6 +45,7 @@ query: |
  | project-reorder Result, AADOperationType
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress
+
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AuditLogs/UserGrantedAccess_AllAuditActivity.yaml
+++ b/Queries/AuditLogs/UserGrantedAccess_AllAuditActivity.yaml
@ -38,7 +38,7 @@ query: |
      | extend TargetUserName = replace("_","@",tostring(split(TargetUserPrincipalName, "#")[0]))
      | extend TargetUserName = iff(isempty(TargetUserName), tostring(split(split(TargetResourceName, ",")[0], " ")[1]), TargetUserName ) 
      | mvexpand ModProps
-      | extend PropertyName = tostring(ModProps.displayName), newValue = replace("\"","",tostring(ModProps.newValue));
+      | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\"','',tostring(ModProps.newValue));
  };
  let HistoricalAdd = auditLogEvents(auditLookback)
  | where OperationName in~ (opName)
@ -64,6 +64,16 @@ query: |
  Results
  | extend newValue = split(newValue, ";")
  | extend PropertyUpdate = pack(PropertyName, newValue, "Id", Id)
-  | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate) 
+  | summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate) 
  by InitiatedBy, IpAddress, TargetUserName, TargetResourceName, OperationName, CorrelationId
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress
+  | extend timestamp = StartTime, AccountCustomEntity = InitiatedBy, IPCustomEntity = IpAddress
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/AuditLogs/UserGrantedAccess_GrantsOthersAccess.yaml
+++ b/Queries/AuditLogs/UserGrantedAccess_GrantsOthersAccess.yaml
@ -35,7 +35,7 @@ query: |
      | extend TargetUserName = replace("_","@",tostring(split(TargetUserPrincipalName, "#")[0]))
      | extend TargetUserName = iff(isempty(TargetUserName), tostring(split(split(TargetResourceName, ",")[0], " ")[1]), TargetUserName ) 
      | mvexpand ModProps
-      | extend PropertyName = tostring(ModProps.displayName), newValue = replace("\"","",tostring(ModProps.newValue));
+      | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\"','',tostring(ModProps.newValue));
  };
  // Assigning time for First TargetUserName that was added
  let FirstAdd = auditLogEvents(auditLookback, opName)  
@ -56,4 +56,14 @@ query: |
  | extend PropertyUpdate = pack(FirstPropertyName, FirstnewValue, SecondPropertyName, SecondnewValue, "FirstCorrelationId", FirstCorrelationId, "FirstId", FirstId, "SecondCorrelationId", SecondCorrelationId, "SecondId", SecondId)
  | summarize PropertyUpdateSet = make_bag(PropertyUpdate) by FirstAddTimeUtc, FirstInitiatedBy, FirstTargetUserName, SecondAddTimeUtc, SecondInitiatedBy, SecondTargetUserName, 
  IpAddress, FirstTargetResourceName, SecondTargetResourceName, FirstOperationName, SecondOperationName
-  | extend timestamp = FirstAddTimeUtc, AccountCustomEntity = FirstInitiatedBy, HostCustomEntity = FirstTargetResourceName, IPCustomEntity = IpAddress
+  | extend timestamp = FirstAddTimeUtc, AccountCustomEntity = FirstInitiatedBy, HostCustomEntity = FirstTargetResourceName, IPCustomEntity = IpAddress
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity