Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

adding in TimeGenerated and Action to CustomTable JSON to pass final validation issues

This commit is contained in:
Shain Wray (MSTIC) 2021-03-22 13:44:09 -07:00
Родитель 749f8bfe2a
Коммит 50421e0425
2 изменённых файлов: 283 добавлений и 275 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

556
.script/tests/KqlvalidationsTests/CustomTables/SlackAudit.json
Просмотреть файл

@ -1,277 +1,285 @@
{
"Name":"SlackAudit",
"Properties":[
{
"Name":"EventVendor",
"Type":"String"
},
{
"Name":"EventProduct",
"Type":"String"
},
{
"Name":"DetailsMobileOnly",
"Type":"Bool"
},
{
"Name":"DetailsWebOnly",
"Type":"Bool"
},
{
"Name":"DetailsKickerId",
"Type":"String"
},
{
"Name":"DetailsKickerName",
"Type":"String"
},
{
"Name":"DetailsKickerEmail",
"Type":"String"
},
{
"Name":"DetailsKickerTeam",
"Type":"String"
},
{
"Name":"DetailsAppOwnerId",
"Type":"String"
},
{
"Name":"DetailsGranularBotToken",
"Type":"Bool"
},
{
"Name":"DetailsNewScopes",
"Type":"String"
},
{
"Name":"DetailsPreviousScopes",
"Type":"String"
},
{
"Name":"EntityUsergroupId",
"Type":"String"
},
{
"Name":"EntityUsergroupName",
"Type":"String"
},
{
"Name":"DetailsKickerType",
"Type":"String"
},
{
"Name":"DetailsKickerUserId",
"Type":"String"
},
{
"Name":"DetailsKickerUserName",
"Type":"String"
},
{
"Name":"DetailsKickerUserEmail",
"Type":"String"
},
{
"Name":"DetailsKickerUserTeam",
"Type":"String"
},
{
"Name":"DetailsInviterId",
"Type":"String"
},
{
"Name":"DetailsInviterName",
"Type":"String"
},
{
"Name":"DetailsInviterEmail",
"Type":"String"
},
{
"Name":"DetailsInviterTeam",
"Type":"String"
},
{
"Name":"DetailsInviterType",
"Type":"String"
},
{
"Name":"DetailsInviterUserId",
"Type":"String"
},
{
"Name":"DetailsInviterUserName",
"Type":"String"
},
{
"Name":"DetailsInviterUserEmail",
"Type":"String"
},
{
"Name":"DetailsInviterUserTeam",
"Type":"String"
},
{
"Name":"DetailsIsWorkflow",
"Type":"Bool"
},
{
"Name":"EntityAppId",
"Type":"String"
},
{
"Name":"EntityAppName",
"Type":"String"
},
{
"Name":"EntityAppIsDistributed",
"Type":"Bool"
},
{
"Name":"EntityAppIsDirectoryApproved",
"Type":"Bool"
},
{
"Name":"EntityAppIsWorkflowApp",
"Type":"Bool"
},
{
"Name":"EntityAppScopes",
"Type":"String"
},
{
"Name":"DetailsIsInternalIntegration",
"Type":"Bool"
},
{
"Name":"DetailsBotScopes",
"Type":"String"
},
{
"Name":"EntityChannelId",
"Type":"String"
},
{
"Name":"EntityChannelPrivacy",
"Type":"String"
},
{
"Name":"EntityChannelName",
"Type":"String"
},
{
"Name":"EntityChannelIsShared",
"Type":"Bool"
},
{
"Name":"EntityChannelIsOrgShared",
"Type":"Bool"
},
{
"Name":"DetailsType",
"Type":"String"
},
{
"Name":"EntityUserId",
"Type":"String"
},
{
"Name":"EntityUserName",
"Type":"String"
},
{
"Name":"EntityUserEmail",
"Type":"String"
},
{
"Name":"EntityUserTeam",
"Type":"String"
},
{
"Name":"EventId",
"Type":"String"
},
{
"Name":"EventEndTime",
"Type":"Double"
},
{
"Name":"DvcAction",
"Type":"String"
},
{
"Name":"ActorType",
"Type":"String"
},
{
"Name":"SrcUserIdentity",
"Type":"String"
},
{
"Name":"SrcUserName",
"Type":"String"
},
{
"Name":"SrcUserEmail",
"Type":"String"
},
{
"Name":"ActorUserTeam",
"Type":"String"
},
{
"Name":"EntityType",
"Type":"String"
},
{
"Name":"EntityFileId",
"Type":"String"
},
{
"Name":"EntityFileName",
"Type":"String"
},
{
"Name":"EntityFileFiletype",
"Type":"String"
},
{
"Name":"EntityFileTitle",
"Type":"String"
},
{
"Name":"context_location_type_s",
"Type":"String"
},
{
"Name":"ContextLocationId",
"Type":"String"
},
{
"Name":"ContextLocationName",
"Type":"String"
},
{
"Name":"ContextLocationDomain",
"Type":"String"
},
{
"Name":"UserAgentOriginal",
"Type":"String"
},
{
"Name":"SrcIpAddr",
"Type":"String"
},
{
"Name":"ContextSessionId",
"Type":"Double"
},
{
"Name":"DvcActionDesc",
"Type":"String"
}
]
"Properties": [
{
"Name": "TimeGenerated",
"Type": "Datetime"
},
{
"Name": "Action",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "DetailsMobileOnly",
"Type": "Bool"
},
{
"Name": "DetailsWebOnly",
"Type": "Bool"
},
{
"Name": "DetailsKickerId",
"Type": "String"
},
{
"Name": "DetailsKickerName",
"Type": "String"
},
{
"Name": "DetailsKickerEmail",
"Type": "String"
},
{
"Name": "DetailsKickerTeam",
"Type": "String"
},
{
"Name": "DetailsAppOwnerId",
"Type": "String"
},
{
"Name": "DetailsGranularBotToken",
"Type": "Bool"
},
{
"Name": "DetailsNewScopes",
"Type": "String"
},
{
"Name": "DetailsPreviousScopes",
"Type": "String"
},
{
"Name": "EntityUsergroupId",
"Type": "String"
},
{
"Name": "EntityUsergroupName",
"Type": "String"
},
{
"Name": "DetailsKickerType",
"Type": "String"
},
{
"Name": "DetailsKickerUserId",
"Type": "String"
},
{
"Name": "DetailsKickerUserName",
"Type": "String"
},
{
"Name": "DetailsKickerUserEmail",
"Type": "String"
},
{
"Name": "DetailsKickerUserTeam",
"Type": "String"
},
{
"Name": "DetailsInviterId",
"Type": "String"
},
{
"Name": "DetailsInviterName",
"Type": "String"
},
{
"Name": "DetailsInviterEmail",
"Type": "String"
},
{
"Name": "DetailsInviterTeam",
"Type": "String"
},
{
"Name": "DetailsInviterType",
"Type": "String"
},
{
"Name": "DetailsInviterUserId",
"Type": "String"
},
{
"Name": "DetailsInviterUserName",
"Type": "String"
},
{
"Name": "DetailsInviterUserEmail",
"Type": "String"
},
{
"Name": "DetailsInviterUserTeam",
"Type": "String"
},
{
"Name": "DetailsIsWorkflow",
"Type": "Bool"
},
{
"Name": "EntityAppId",
"Type": "String"
},
{
"Name": "EntityAppName",
"Type": "String"
},
{
"Name": "EntityAppIsDistributed",
"Type": "Bool"
},
{
"Name": "EntityAppIsDirectoryApproved",
"Type": "Bool"
},
{
"Name": "EntityAppIsWorkflowApp",
"Type": "Bool"
},
{
"Name": "EntityAppScopes",
"Type": "String"
},
{
"Name": "DetailsIsInternalIntegration",
"Type": "Bool"
},
{
"Name": "DetailsBotScopes",
"Type": "String"
},
{
"Name": "EntityChannelId",
"Type": "String"
},
{
"Name": "EntityChannelPrivacy",
"Type": "String"
},
{
"Name": "EntityChannelName",
"Type": "String"
},
{
"Name": "EntityChannelIsShared",
"Type": "Bool"
},
{
"Name": "EntityChannelIsOrgShared",
"Type": "Bool"
},
{
"Name": "DetailsType",
"Type": "String"
},
{
"Name": "EntityUserId",
"Type": "String"
},
{
"Name": "EntityUserName",
"Type": "String"
},
{
"Name": "EntityUserEmail",
"Type": "String"
},
{
"Name": "EntityUserTeam",
"Type": "String"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "Double"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "ActorType",
"Type": "String"
},
{
"Name": "SrcUserIdentity",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcUserEmail",
"Type": "String"
},
{
"Name": "ActorUserTeam",
"Type": "String"
},
{
"Name": "EntityType",
"Type": "String"
},
{
"Name": "EntityFileId",
"Type": "String"
},
{
"Name": "EntityFileName",
"Type": "String"
},
{
"Name": "EntityFileFiletype",
"Type": "String"
},
{
"Name": "EntityFileTitle",
"Type": "String"
},
{
"Name": "context_location_type_s",
"Type": "String"
},
{
"Name": "ContextLocationId",
"Type": "String"
},
{
"Name": "ContextLocationName",
"Type": "String"
},
{
"Name": "ContextLocationDomain",
"Type": "String"
},
{
"Name": "UserAgentOriginal",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "ContextSessionId",
"Type": "Double"
},
{
"Name": "DvcActionDesc",
"Type": "String"
}
]
}

2
Detections/SlackAudit/SlackAuditUserСhangedToAdminOrOwner.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
name: SlackAudit - User role changed to admin or owner
description: |
'This query helps to detect a change in the user's role to admin or owner.'
'This query helps to detect a change in the users role to admin or owner.'
severity: Low
requiredDataConnectors:
- connectorId: SlackAuditAPI