Standalone content tagging Hunting Queries (#6702)

* Standalone content tagging Hunting Queries * Update Fortinet-NetworkBeaconPattern.yaml * Update support * Update WorkbooksMetadata.json * Update WorkbooksMetadata.json
2022-11-24 13:16:00 +05:30 · 2022-11-24 13:16:00 +05:30 · 518c44468d
--- a/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
+++ b/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
@ -76,5 +76,14 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
+kind: Scheduled
+metadata:
+    source:
+        kind: Community
+    author:
+        name: robMSFT
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]
--- a/Queries/GitHub/Unusual
+++ b/Queries/GitHub/Unusual
@ -19,6 +19,13 @@ query: |
  | make-series num=sum(tolong(Count)) default=0 on TimeGenerated in range(min_t, max_t, 1h) by Repository 
  | extend (anomalies, score, baseline) = series_decompose_anomalies(num, 1.5, -1, 'linefit')
  | render timechart 
-
-
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: itay6588
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/CrossWorkspaceQueryAnomolies.yaml
+++ b/Queries/LAQueryLogs/CrossWorkspaceQueryAnomolies.yaml
@ -39,4 +39,14 @@ query: |
  //LAQueryLogs
  //| where TimeGenerated between(starttime..endtime)
  //on AADEmail
-  //| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+  //| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/MultipleLargeQueriesByUser.yaml
+++ b/Queries/LAQueryLogs/MultipleLargeQueriesByUser.yaml
@ -24,4 +24,13 @@ query: |
  | where (ResponseRowCount == 10001 and RequestClientApp in(UI_apps)) or (ResponseRowCount > 10001 and RequestClientApp !in(UI_apps)))
  on AADEmail
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/NewClientRunningQueries.yaml
+++ b/Queries/LAQueryLogs/NewClientRunningQueries.yaml
@ -26,4 +26,14 @@ query: |
  | where TimeGenerated between(starttime..endtime)
  )
  on RequestClientApp
-  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/NewServicePrincipalRunningQueries.yaml
+++ b/Queries/LAQueryLogs/NewServicePrincipalRunningQueries.yaml
@ -28,4 +28,14 @@ query: |
  | where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
  )
  on AADClientId
-  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/NewUserRunningQueries.yaml
+++ b/Queries/LAQueryLogs/NewUserRunningQueries.yaml
@ -24,4 +24,13 @@ query: |
  on AADEmail
  | project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/QueryDataVolumeAnomolies.yaml
+++ b/Queries/LAQueryLogs/QueryDataVolumeAnomolies.yaml
@ -31,4 +31,13 @@ query: |
  on TimeGenerated
  | project TimeGenerated, AADEmail, RequestTarget, set_QueryText
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/QueryLookingForSecrets.yaml
+++ b/Queries/LAQueryLogs/QueryLookingForSecrets.yaml
@ -29,4 +29,13 @@ query: |
  | extend querytext_lower = tolower(QueryText)
  | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))
  on CorrelationId
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/UserReturningMoreDataThanDailyAverage.yaml
+++ b/Queries/LAQueryLogs/UserReturningMoreDataThanDailyAverage.yaml
@ -36,3 +36,13 @@ query: |
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
  // Comment out the line below to see the queries run by users.
  | summarize total_rows = sum(ResponseRowCount), NoQueries = count(), AvgQuerySize = sum(ResponseRowCount)/count() by AADEmail
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/LAQueryLogs/UserRunningMultipleQueriesThatFail.yaml
+++ b/Queries/LAQueryLogs/UserRunningMultipleQueriesThatFail.yaml
@ -23,4 +23,13 @@ query: |
  | summarize make_set(QueryText) by AADEmail, bin(TimeGenerated, timeframe))
  on AADEmail, TimeGenerated
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
-
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Pete Bryan
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
+++ b/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
@ -81,3 +81,13 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Shain
+    support:
+        tier: Microsoft
+    categories:
+        domains: [ "Security - Threat Protection" ]
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@ -1141,7 +1141,19 @@
    "title": "Unifi Security Gateway",
    "templateRelativePath": "UnifiSG.json",
    "subtitle": "",
-    "provider": "Microsoft Sentinel community"
+    "provider": "Microsoft Sentinel community",
+	"support": {
+      "tier": "Community"
+    },
+    "author": {
+      "name": "SecurityJedi"
+    },
+    "source": {
+      "kind": "Community"
+    },
+    "categories": {
+      "domains": [ "Security – Network" ]
+    }
  },
  {
    "workbookKey": "UnifiSGNetflowWorkbook",
@ -1154,7 +1166,19 @@
    "title": "Unifi Security Gateway - NetFlow",
    "templateRelativePath": "UnfiSGNetflow.json",
    "subtitle": "",
-    "provider": "Microsoft Sentinel community"
+    "provider": "Microsoft Sentinel community",
+	"support": {
+      "tier": "Community"
+    },
+    "author": {
+      "name": "SecurityJedi"
+    },
+    "source": {
+      "kind": "Community"
+    },
+    "categories": {
+      "domains": [ "Security – Network" ]
+    }
  },
  {
    "workbookKey": "NormalizedNetworkEventsWorkbook",