Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #9650 from Azure/origins/users/rahul/MPE-Solution 

Malware Protection Essentials - ASIM Based Solution
This commit is contained in:
v-atulyadav 2024-01-15 18:20:54 +05:30 коммит произвёл GitHub
Родитель ccbac31f42 ce9d5be35f
Коммит 61b3d02b8c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
31 изменённых файлов: 5831 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

552
.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json Normal file
Просмотреть файл

@ -0,0 +1,552 @@
{
"FunctionName": "_ASim_FileEvent",
"FunctionParameters": [
{
"Name": "disabled",
"Type": "bool",
"IsRequired": false
}
],
"FunctionResultColumns": [
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "ActingAppId",
"Type": "string"
},
{
"Name": "ActingAppName",
"Type": "string"
},
{
"Name": "ActingAppType",
"Type": "string"
},
{
"Name": "ActingProcessCommandLine",
"Type": "string"
},
{
"Name": "ActingProcessGuid",
"Type": "string"
},
{
"Name": "ActingProcessId",
"Type": "string"
},
{
"Name": "ActingProcessName",
"Type": "string"
},
{
"Name": "ActorOriginalUserType",
"Type": "string"
},
{
"Name": "ActorScope",
"Type": "string"
},
{
"Name": "ActorScopeId",
"Type": "string"
},
{
"Name": "ActorSessionId",
"Type": "string"
},
{
"Name": "ActorUserAadId",
"Type": "string"
},
{
"Name": "ActorUserId",
"Type": "string"
},
{
"Name": "ActorUserIdType",
"Type": "string"
},
{
"Name": "ActorUsername",
"Type": "string"
},
{
"Name": "ActorUsernameType",
"Type": "string"
},
{
"Name": "ActorUserSid",
"Type": "string"
},
{
"Name": "ActorUserType",
"Type": "string"
},
{
"Name": "AdditionalFields",
"Type": "dynamic"
},
{
"Name": "Application",
"Type": "string"
},
{
"Name": "DstDescription",
"Type": "string"
},
{
"Name": "Dvc",
"Type": "string"
},
{
"Name": "DvcAction",
"Type": "string"
},
{
"Name": "DvcDescription",
"Type": "string"
},
{
"Name": "DvcDomain",
"Type": "string"
},
{
"Name": "DvcDomainType",
"Type": "string"
},
{
"Name": "DvcFQDN",
"Type": "string"
},
{
"Name": "DvcHostname",
"Type": "string"
},
{
"Name": "DvcId",
"Type": "string"
},
{
"Name": "DvcIdType",
"Type": "string"
},
{
"Name": "DvcInterface",
"Type": "string"
},
{
"Name": "DvcIpAddr",
"Type": "string"
},
{
"Name": "DvcMacAddr",
"Type": "string"
},
{
"Name": "DvcOriginalAction",
"Type": "string"
},
{
"Name": "DvcOs",
"Type": "string"
},
{
"Name": "DvcOsVersion",
"Type": "string"
},
{
"Name": "DvcScopeId",
"Type": "string"
},
{
"Name": "EventCount",
"Type": "int"
},
{
"Name": "EventEndTime",
"Type": "datetime"
},
{
"Name": "EventMessage",
"Type": "string"
},
{
"Name": "EventOriginalResultDetails",
"Type": "string"
},
{
"Name": "EventOriginalSeverity",
"Type": "string"
},
{
"Name": "EventOriginalSubType",
"Type": "string"
},
{
"Name": "EventOriginalType",
"Type": "string"
},
{
"Name": "EventOriginalUid",
"Type": "string"
},
{
"Name": "EventOwner",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "EventProductVersion",
"Type": "string"
},
{
"Name": "EventReportUrl",
"Type": "string"
},
{
"Name": "EventResult",
"Type": "string"
},
{
"Name": "EventSchema",
"Type": "string"
},
{
"Name": "EventSchemaVersion",
"Type": "string"
},
{
"Name": "EventSeverity",
"Type": "string"
},
{
"Name": "EventStartTime",
"Type": "datetime"
},
{
"Name": "EventType",
"Type": "string"
},
{
"Name": "EventUid",
"Type": "string"
},
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "FileName",
"Type": "string"
},
{
"Name": "FilePath",
"Type": "string"
},
{
"Name": "Hash",
"Type": "string"
},
{
"Name": "HashType",
"Type": "string"
},
{
"Name": "HttpUserAgent",
"Type": "string"
},
{
"Name": "IpAddr",
"Type": "string"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "string"
},
{
"Name": "Process",
"Type": "string"
},
{
"Name": "CommandLine",
"Type": "String"
},
{
"Name": "Rule",
"Type": "string"
},
{
"Name": "RuleName",
"Type": "string"
},
{
"Name": "RuleNumber",
"Type": "int"
},
{
"Name": "Src",
"Type": "string"
},
{
"Name": "SrcDescription",
"Type": "string"
},
{
"Name": "SrcDeviceType",
"Type": "string"
},
{
"Name": "SrcDomain",
"Type": "string"
},
{
"Name": "SrcDomainType",
"Type": "string"
},
{
"Name": "SrcDvcId",
"Type": "string"
},
{
"Name": "SrcDvcIdType",
"Type": "string"
},
{
"Name": "SrcDvcScope",
"Type": "string"
},
{
"Name": "SrcDvcScopeId",
"Type": "string"
},
{
"Name": "SrcFileCreationTime",
"Type": "datetime"
},
{
"Name": "SrcFileDirectory",
"Type": "string"
},
{
"Name": "SrcFileExtension",
"Type": "string"
},
{
"Name": "SrcFileMD5",
"Type": "string"
},
{
"Name": "SrcFileMimeType",
"Type": "string"
},
{
"Name": "SrcFileName",
"Type": "string"
},
{
"Name": "SrcFilePath",
"Type": "string"
},
{
"Name": "SrcFilePathType",
"Type": "string"
},
{
"Name": "SrcFileSHA1",
"Type": "string"
},
{
"Name": "SrcFileSHA256",
"Type": "string"
},
{
"Name": "SrcFileSHA512",
"Type": "string"
},
{
"Name": "SrcFileSize",
"Type": "long"
},
{
"Name": "SrcFQDN",
"Type": "string"
},
{
"Name": "SrcGeoCity",
"Type": "string"
},
{
"Name": "SrcGeoCountry",
"Type": "string"
},
{
"Name": "SrcGeoLatitude",
"Type": "real"
},
{
"Name": "SrcGeoLongitude",
"Type": "real"
},
{
"Name": "SrcGeoRegion",
"Type": "string"
},
{
"Name": "SrcHostname",
"Type": "string"
},
{
"Name": "SrcIpAddr",
"Type": "string"
},
{
"Name": "SrcPortNumber",
"Type": "int"
},
{
"Name": "TargetAppId",
"Type": "string"
},
{
"Name": "TargetAppName",
"Type": "string"
},
{
"Name": "TargetAppType",
"Type": "string"
},
{
"Name": "TargetFileCreationTime",
"Type": "datetime"
},
{
"Name": "TargetFileDirectory",
"Type": "string"
},
{
"Name": "TargetFileExtension",
"Type": "string"
},
{
"Name": "TargetFileMD5",
"Type": "string"
},
{
"Name": "TargetFileMimeType",
"Type": "string"
},
{
"Name": "TargetFileName",
"Type": "string"
},
{
"Name": "TargetFilePath",
"Type": "string"
},
{
"Name": "TargetFilePathType",
"Type": "string"
},
{
"Name": "TargetFileSHA1",
"Type": "string"
},
{
"Name": "TargetFileSHA256",
"Type": "string"
},
{
"Name": "TargetFileSHA512",
"Type": "string"
},
{
"Name": "TargetFileSize",
"Type": "long"
},
{
"Name": "TargetUrl",
"Type": "string"
},
{
"Name": "ThreatCategory",
"Type": "string"
},
{
"Name": "ThreatConfidence",
"Type": "int"
},
{
"Name": "ThreatField",
"Type": "string"
},
{
"Name": "ThreatFilePath",
"Type": "string"
},
{
"Name": "ThreatFirstReportedTime",
"Type": "datetime"
},
{
"Name": "ThreatId",
"Type": "string"
},
{
"Name": "ThreatIpAddr",
"Type": "string"
},
{
"Name": "ThreatIsActive",
"Type": "bool"
},
{
"Name": "ThreatLastReportedTime",
"Type": "datetime"
},
{
"Name": "ThreatName",
"Type": "string"
},
{
"Name": "ThreatOriginalConfidence",
"Type": "string"
},
{
"Name": "ThreatOriginalRiskLevel",
"Type": "string"
},
{
"Name": "ThreatRiskLevel",
"Type": "int"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "Url",
"Type": "string"
},
{
"Name": "User",
"Type": "string"
},
{
"Name": "ActorUserPuid",
"Type": "string"
},
{
"Name": "ActorUpn",
"Type": "string"
}
]
}

440
.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json Normal file
Просмотреть файл

@ -0,0 +1,440 @@
{
"FunctionName": "_ASim_ProcessEvent",
"FunctionParameters": [
{
"Name": "starttime",
"Type": "datetime",
"IsRequired": false
},
{
"Name": "endtime",
"Type": "datetime",
"IsRequired": false
},
{
"Name": "commandline_has_any",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "commandline_has_all",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "commandline_has_any_ip_prefix",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "actingprocess_has_any",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "targetprocess_has_any",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "parentprocess_has_any",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "targetusername",
"Type": "string",
"IsRequired": false
},
{
"Name": "dvcipaddr_has_any_prefix",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "dvcname_has_any",
"Type": "dynamic",
"IsRequired": false
},
{
"Name": "eventtype",
"Type": "string",
"IsRequired": false
},
{
"Name": "disabled",
"Type": "bool",
"IsRequired": false
}
],
"FunctionResultColumns": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int32"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "AdditionalFields",
"Type": "Object"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "string"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "TargetUsername",
"Type": "String"
},
{
"Name": "TargetUsernameType",
"Type": "String"
},
{
"Name": "TargetUserId",
"Type": "String"
},
{
"Name": "TargetUserIdType",
"Type": "String"
},
{
"Name": "TargetUserSessionId",
"Type": "String"
},
{
"Name": "TargetProcessName",
"Type": "String"
},
{
"Name": "TargetProcessCompany",
"Type": "String"
},
{
"Name": "TargetProcessFileDescription",
"Type": "String"
},
{
"Name": "TargetProcessFilename",
"Type": "String"
},
{
"Name": "TargetProcessFileProduct",
"Type": "String"
},
{
"Name": "TargetProcessFileVersion",
"Type": "String"
},
{
"Name": "TargetProcessIsHidden",
"Type": "SByte"
},
{
"Name": "TargetProcessInjectedAddress",
"Type": "String"
},
{
"Name": "TargetProcessMD5",
"Type": "String"
},
{
"Name": "TargetProcessSHA1",
"Type": "String"
},
{
"Name": "TargetProcessSHA256",
"Type": "String"
},
{
"Name": "TargetProcessSHA512",
"Type": "String"
},
{
"Name": "TargetProcessIMPHASH",
"Type": "String"
},
{
"Name": "TargetProcessCommandLine",
"Type": "String"
},
{
"Name": "TargetProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "TargetProcessId",
"Type": "String"
},
{
"Name": "TargetProcessGuid",
"Type": "String"
},
{
"Name": "TargetProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "TargetProcessTokenElevation",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "ActingProcessCommandLine",
"Type": "String"
},
{
"Name": "ActingProcessName",
"Type": "String"
},
{
"Name": "ActingProcessCompany",
"Type": "String"
},
{
"Name": "ActingProcessFileDescription",
"Type": "String"
},
{
"Name": "ActingProcessFileProduct",
"Type": "String"
},
{
"Name": "ActingProcessFileVersion",
"Type": "String"
},
{
"Name": "ActingProcessIsHidden",
"Type": "SByte"
},
{
"Name": "ActingProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ActingProcessId",
"Type": "String"
},
{
"Name": "ActingProcessGuid",
"Type": "String"
},
{
"Name": "ActingProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ActingProcessMD5",
"Type": "String"
},
{
"Name": "ActingProcessSHA1",
"Type": "String"
},
{
"Name": "ActingProcessSHA256",
"Type": "String"
},
{
"Name": "ActingProcessSHA512",
"Type": "String"
},
{
"Name": "ActingProcessIMPHASH",
"Type": "String"
},
{
"Name": "ActingProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "ParentProcessName",
"Type": "String"
},
{
"Name": "ParentProcessCompany",
"Type": "String"
},
{
"Name": "ParentProcessFileDescription",
"Type": "String"
},
{
"Name": "ParentProcessFileProduct",
"Type": "String"
},
{
"Name": "ParentProcessFileVersion",
"Type": "String"
},
{
"Name": "ParentProcessIsHidden",
"Type": "SByte"
},
{
"Name": "ParentProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ParentProcessId",
"Type": "String"
},
{
"Name": "ParentProcessGuid",
"Type": "String"
},
{
"Name": "ParentProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ParentProcessMD5",
"Type": "String"
},
{
"Name": "ParentProcessSHA1",
"Type": "String"
},
{
"Name": "ParentProcessSHA256",
"Type": "String"
},
{
"Name": "ParentProcessSHA512",
"Type": "String"
},
{
"Name": "ParentProcessIMPHASH",
"Type": "String"
},
{
"Name": "ParentProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "Dvc",
"Type": "String"
},
{
"Name": "User",
"Type": "String"
},
{
"Name": "Process",
"Type": "String"
},
{
"Name": "CommandLine",
"Type": "String"
},
{
"Name": "Hash",
"Type": "String"
}
]
}

200
.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json Normal file
Просмотреть файл

@ -0,0 +1,200 @@
{
"FunctionName": "_ASim_RegistryEvent",
"FunctionParameters": [
{
"Name": "disabled",
"Type": "bool",
"IsRequired": false
}
],
"FunctionResultColumns": [
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "EventType",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "EventProductVersion",
"Type": "string"
},
{
"Name": "EventCount",
"Type": "int"
},
{
"Name": "EventMessage",
"Type": "string"
},
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventSchemaVersion",
"Type": "string"
},
{
"Name": "EventOriginalUid",
"Type": "string"
},
{
"Name": "EventOriginalType",
"Type": "string"
},
{
"Name": "EventStartTime",
"Type": "datetime"
},
{
"Name": "EventEndTime",
"Type": "datetime"
},
{
"Name": "EventReportUrl",
"Type": "string"
},
{
"Name": "AdditionalFields",
"Type": "dynamic"
},
{
"Name": "RegistryKey",
"Type": "string"
},
{
"Name": "RegistryValue",
"Type": "string"
},
{
"Name": "RegistryValueType",
"Type": "string"
},
{
"Name": "RegistryValueData",
"Type": "string"
},
{
"Name": "RegistryPreviousKey",
"Type": "string"
},
{
"Name": "RegistryPreviousValue",
"Type": "string"
},
{
"Name": "RegistryPreviousValueType",
"Type": "string"
},
{
"Name": "RegistryPreviousValueData",
"Type": "string"
},
{
"Name": "DvcId",
"Type": "string"
},
{
"Name": "DvcHostname",
"Type": "string"
},
{
"Name": "DvcDomain",
"Type": "string"
},
{
"Name": "DvcIpAddr",
"Type": "string"
},
{
"Name": "DvcOs",
"Type": "string"
},
{
"Name": "DvcOsVersion",
"Type": "string"
},
{
"Name": "DvcMacAddr",
"Type": "string"
},
{
"Name": "ActorUsername",
"Type": "string"
},
{
"Name": "ActorUsernameType",
"Type": "string"
},
{
"Name": "ActorUserId",
"Type": "string"
},
{
"Name": "ActorUserIdType",
"Type": "string"
},
{
"Name": "ActorSessionId",
"Type": "string"
},
{
"Name": "ActingProcessCommandLine",
"Type": "string"
},
{
"Name": "ActingProcessName",
"Type": "string"
},
{
"Name": "ActingProcessId",
"Type": "string"
},
{
"Name": "ActingProcessGuid",
"Type": "string"
},
{
"Name": "ParentProcessName",
"Type": "string"
},
{
"Name": "ParentProcessId",
"Type": "string"
},
{
"Name": "ParentProcessGuid",
"Type": "string"
},
{
"Name": "Dvc",
"Type": "string"
},
{
"Name": "User",
"Type": "string"
},
{
"Name": "Process",
"Type": "string"
},
{
"Name": "Username",
"Type": "string"
}
]
}

5
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -2576,6 +2576,11 @@
"templateName": "DetectPortMisuseByStaticThresholdHunting.yaml",
"validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known issue when using Watchlist"
},
{
"id": "595aea5c-74c7-415b-8b12-10af1a338cdf",
"templateName": "FilesWithRansomwareExtensions.yaml",
"validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known limitaion for validation."
},
{
"id": "320e7a40-d60e-4e07-9ef7-798f5383625d",
"templateName": "AFD-Premium-WAF-XSSDetection.yaml",

97
Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,97 @@
id: 259de2c1-c546-4c6d-a17c-df639722f4d7
name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
description: |
This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
https://attack.mitre.org/techniques/T1490/
severity: High
status: Available
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1490
query: |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
alertDescriptionFormat: "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files."
version: 1.0.0
kind: Scheduled

109
Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml Normal file
Просмотреть файл

@ -0,0 +1,109 @@
id: 7edde3d4-9859-4a00-b93c-b19ddda55320
name: Detect Print Processors Registry Driver Key Creation/Modification
description: |
This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.
severity: Medium
status: Available
tags:
- Schema: _ASim_RegistryEvent
SchemaVersion: 0.1.2
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1547
query: |
// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: ActingProcessCommandLine
- entityType: RegistryKey
fieldMappings:
- identifier: Hive
columnName: RegHive
- identifier: Key
columnName: RegKey
- entityType: RegistryValue
fieldMappings:
- identifier: Name
columnName: RegistryValue
- identifier: Value
columnName: RegistryValueData
- identifier: ValueType
columnName: RegistryValueType
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDisplayNameFormat: "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})"
alertDescriptionFormat: "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}."
version: 1.0.0
kind: Scheduled

125
Solutions/Malware Protection Essentials/Analytic Rules/StartupRegistryModified.yaml Normal file
Просмотреть файл

@ -0,0 +1,125 @@
id: dd041e4e-1ee2-41ec-ba4e-82a71d628260
name: Detect Registry Run Key Creation/Modification
description: |
This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.
severity: Medium
status: Available
tags:
- Schema: _ASim_RegistryEvent
SchemaVersion: 0.1.2
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
relevantTechniques:
- T1547
- T1112
query: |
// List of startup registry keys to monitor
let startupRegistryList = dynamic([
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce',
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices',
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run',
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit',
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell',
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: ActingProcessCommandLine
- entityType: RegistryKey
fieldMappings:
- identifier: Hive
columnName: RegHive
- identifier: Key
columnName: RegKey
- entityType: RegistryValue
fieldMappings:
- identifier: Name
columnName: RegistryValue
- identifier: Value
columnName: RegistryValueData
- identifier: ValueType
columnName: RegistryValueType
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDisplayNameFormat: "Registry Run Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})"
alertDescriptionFormat: "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry run key {{RegistryKey}}."
version: 1.0.0
kind: Scheduled

98
Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml Normal file
Просмотреть файл

@ -0,0 +1,98 @@
id: fdbcc0eb-44fb-467e-a51d-a91df0780a81
name: Process Creation with Suspicious CommandLine Arguments
description: |
This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
severity: Medium
status: Available
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
relevantTechniques:
- T1059
- T1027
query: |
_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1))
| where strlen(CommandLineArgs) > 0
| mv-apply CommandLineArgs on
(
where CommandLineArgs contains "base64"
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})"
alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
version: 1.0.0
kind: Scheduled

113
Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml Normal file
Просмотреть файл

@ -0,0 +1,113 @@
id: 056593d4-ca3b-47a7-be9d-d1d0884a1d36
name: Detect Windows Allow Firewall Rule Addition/Modification
description: |
This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.
severity: Medium
status: Available
tags:
- Schema: _ASim_RegistryEvent
SchemaVersion: 0.1.2
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
// List of Windows Firewall registry keys to monitor
let firewallRegistryList = dynamic([
'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System',
'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System',
'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules',
'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall'
]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: ActingProcessCommandLine
- entityType: RegistryKey
fieldMappings:
- identifier: Hive
columnName: RegHive
- identifier: Key
columnName: RegKey
- entityType: RegistryValue
fieldMappings:
- identifier: Name
columnName: RegistryValue
- identifier: Value
columnName: RegistryValueData
- identifier: ValueType
columnName: RegistryValueType
eventGroupingSettings:
aggregationKind: singleAlert
alertDetailsOverride:
alertDisplayNameFormat: "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}"
alertDescriptionFormat: "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} by {{Username}}."
version: 1.0.0
kind: Scheduled

112
Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,112 @@
id: f1443a87-78d5-40c3-b051-f468f0f2def0
name: Detect Windows Update Disabled from Registry
description: |
This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.
severity: Medium
status: Available
tags:
- Schema: _ASim_RegistryEvent
SchemaVersion: 0.1.2
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
// List of Windows Firewall registry keys to monitor
let windowsUpdateRegistryList = dynamic([
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate',
'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU'
]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey has_any (windowsUpdateRegistryList)
| where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: ActingProcessCommandLine
- entityType: RegistryKey
fieldMappings:
- identifier: Hive
columnName: RegHive
- identifier: Key
columnName: RegKey
- entityType: RegistryValue
fieldMappings:
- identifier: Name
columnName: RegistryValue
- identifier: Value
columnName: RegistryValueData
- identifier: ValueType
columnName: RegistryValueType
eventGroupingSettings:
aggregationKind: singleAlert
alertDetailsOverride:
alertDisplayNameFormat: "Windows Update Disabled from Registry on {{HostName}}"
alertDescriptionFormat: "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}"
version: 1.0.0
kind: Scheduled

35
Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json Normal file
Просмотреть файл

@ -0,0 +1,35 @@
{
"Name": "Malware Protection Essentials",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
"Analytic Rules": [
"Analytic Rules/StartupRegistryModified.yaml",
"Analytic Rules/PrintProcessersModified.yaml",
"Analytic Rules/SuspiciousProcessCreation.yaml",
"Analytic Rules/BackupDeletionDetected.yaml",
"Analytic Rules/WindowsUpdateDisabled.yaml",
"Analytic Rules/WindowsAllowFirewallRuleAdded.yaml"
],
"Hunting Queries": [
"Hunting Queries/NewMaliciousScheduledTask.yaml",
"Hunting Queries/FileCretaedInStartupFolder.yaml",
"Hunting Queries/FilesWithRansomwareExtensions.yaml",
"Hunting Queries/NewScheduledTaskCreation.yaml",
"Hunting Queries/SystemFilesModifiedByUser.yaml",
"Hunting Queries/ExecutableInUncommonLocation.yaml"
],
"Watchlists": [
"Watchlists/RansomwareFileExtensions.json"
],
"WatchlistDescription": "This watchlist contains a list of file extensions that are commonly used by ransomware. Add additional file extensions to this watchlist as required.",
"Workbooks": [
"Workbooks/MalwareProtectionEssentialsWorkbook.json"
],
"WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

104
Solutions/Malware Protection Essentials/Hunting Queries/ExecutableInUncommonLocation.yaml Normal file
Просмотреть файл

@ -0,0 +1,104 @@
id: ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f
name: Executable Files Created in Uncommon Locations
description: |
This analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary.
tags:
- Schema: _ASim_FileEvent
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
relevantTechniques:
- T1037
- T1547
- T1564
query: |
// List of file extensions to monitor
let executableExtensions = dynamic(['exe', 'bat', 'cmd', 'vbs', 'ps1', 'psm1', 'wsf']);
// List of file locations to monitor
let fileLocations = dynamic([
'\\Windows\\System32\\',
'\\Windows\\Temp\\',
'\\AppData\\Local\\Temp\\',
'\\Recycle Bin\\'
]);
_ASim_FileEvent
| where EventType == 'FileCreated'
| extend FileExtension = tostring(split(FileName, '.')[1])
| where FileExtension in~ (executableExtensions) and FilePath has_any (fileLocations)
| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)
| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')
| extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username)
| extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend File_0_Name = FileName
| extend File_0_Directory = FilePath
| extend FileHash_0_Algorithm = HashType
| extend FileHash_0_Value = Hash
| extend Process_0_ProcessId = ActingProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- identifier: Directory
columnName: FilePath
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: HashType
- identifier: Value
columnName: Hash
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

101
Solutions/Malware Protection Essentials/Hunting Queries/FileCretaedInStartupFolder.yaml Normal file
Просмотреть файл

@ -0,0 +1,101 @@
id: 64e199a8-b26c-462f-a65c-09ed9b53a47b
name: Detect File Creation in Startup Folder
description: |
This hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system.
tags:
- Schema: _ASim_FileEvent
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
relevantTechniques:
- T1547
- T1112
query: |
// List of startup folders to monitor for Windows and Linux
let startupFolderList = dynamic([
'\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\',
'\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\',
'/etc/init.d/',
'/etc/rc.d/',
'/etc/cron.d/'
]);
_ASim_FileEvent
| where EventType == 'FileCreated'
| where FilePath has_any (startupFolderList)
| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)
| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')
| extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username)
| extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend File_0_Name = FileName
| extend File_0_Directory = FilePath
| extend FileHash_0_Algorithm = HashType
| extend FileHash_0_Value = Hash
| extend Process_0_ProcessId = ActingProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- identifier: Directory
columnName: FilePath
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: HashType
- identifier: Value
columnName: Hash
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

95
Solutions/Malware Protection Essentials/Hunting Queries/FilesWithRansomwareExtensions.yaml Normal file
Просмотреть файл

@ -0,0 +1,95 @@
id: 595aea5c-74c7-415b-8b12-10af1a338cdf
name: Detect Files with Ramsomware Extensions
description: |
This hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions.
tags:
- Schema: _ASim_FileEvent
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- Execution
- Impact
relevantTechniques:
- T1204
- T1486
query: |
// Get list of ransomware file extensions from watchlist RansomwareFileExtension
let RansomwareFileExtensions = _GetWatchlist('RansomwareFileExtensions') | where Enabled == 'Yes' | project FileExtension;
_ASim_FileEvent
| where EventType !in ('FileDeleted' , 'DeleteFile')
| extend FileExtension = tostring(split(FileName, '.')[1])
| where FileExtension in~ (RansomwareFileExtensions)
| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)
| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')
| extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username)
| extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend File_0_Name = FileName
| extend File_0_Directory = FilePath
| extend FileHash_0_Algorithm = HashType
| extend FileHash_0_Value = Hash
| extend Process_0_ProcessId = ActingProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- identifier: Directory
columnName: FilePath
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: HashType
- identifier: Value
columnName: Hash
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

97
Solutions/Malware Protection Essentials/Hunting Queries/NewMaliciousScheduledTask.yaml Normal file
Просмотреть файл

@ -0,0 +1,97 @@
id: b43394b9-fa91-4d98-b331-619926a933bb
name: Detect New Scheduled Task Creation that Run Executables From Non-Standard Location
description: |
This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system.
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- Execution
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1053
query: |
// List of file locations to monitor
let fileLocations = dynamic([
'\\Windows\\Temp\\',
'\\AppData\\Local\\Temp\\',
'\\Recycle Bin\\'
]);
_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
| where TargetProcessName has 'schtasks.exe' and TargetProcessCommandLine has_any (fileLocations)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend IP_0_Address = DvcIpAddr
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend Process_0_ProcessId = TargetProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

94
Solutions/Malware Protection Essentials/Hunting Queries/NewScheduledTaskCreation.yaml Normal file
Просмотреть файл

@ -0,0 +1,94 @@
id: 4dc0aae4-6375-4670-b138-8c42490ba206
name: Detect New Scheduled Task Entry Creations
description: |
This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system.
tags:
- Schema: _ASim_FileEvent
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- Execution
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1053
query: |
_ASim_FileEvent
| where EventType in ('FileCreated' , 'FileModified')
| where FilePath has '\\Windows\\System32\\Tasks'
| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)
| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')
| extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username)
| extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend File_0_Name = FileName
| extend File_0_Directory = FilePath
| extend FileHash_0_Algorithm = HashType
| extend FileHash_0_Value = Hash
| extend Process_0_ProcessId = ActingProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- identifier: Directory
columnName: FilePath
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: HashType
- identifier: Value
columnName: Hash
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

111
Solutions/Malware Protection Essentials/Hunting Queries/SystemFilesModifiedByUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,111 @@
id: 54b222c4-0149-421e-9d6d-da66da50495a
name: Detect Modification to System Files or Directories by User Accounts
description: |
This hunting query searches for modifications to system files or directories by a non system account (User Account).
tags:
- Schema: _ASim_FileEvent
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tactics:
- DefenseEvasion
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1036
- T1543
query: |
// List of system file and directories to monitor
let systemFilesAndDirs = dynamic([
"\\Windows\\System32",
"//etc",
"//bin",
"//root",
"//lib",
"//usr",
"//dev"
]);
let systemUserTypes = dynamic([
'System',
'Service',
'Machine',
'Other'
]);
_ASim_FileEvent
| where EventType in ('FileCreated' , 'FileModified')
| where FilePath has_any (systemFilesAndDirs) and ActorUserType !in (systemUserTypes)
| where isnotempty(ActorUserType)
| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType
| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)
| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')
| extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username)
| extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '')
| extend Host_0_HostName = DvcHostname
| extend Host_0_DnsDomain = DvcDomain
| extend Host_0_NTDomain = NTDomain
| extend Account_0_Name = Username
| extend Account_0_UPNSuffix = UPNSuffix
| extend Account_0_NTDomain = NTDomain
| extend File_0_Name = FileName
| extend File_0_Directory = FilePath
| extend FileHash_0_Algorithm = HashType
| extend FileHash_0_Value = Hash
| extend Process_0_ProcessId = ActingProcessId
| extend Process_0_CommandLine = CommandLine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- identifier: Directory
columnName: FilePath
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: HashType
- identifier: Value
columnName: Hash
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessId
- identifier: CommandLine
columnName: CommandLine
version: 1.0.0

Двоичные данные
Solutions/Malware Protection Essentials/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

359
Solutions/Malware Protection Essentials/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,359 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Malware%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\n[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 6, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Malware Protection Essentials",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions."
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Detect Registry Run Key Creation/Modification",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Detect Print Processors Registry Driver Key Creation/Modification",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Process Creation with Suspicious CommandLine Arguments",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Detect Malicious Usage of Recovery Tools to Delete Backup Files",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Detect Windows Update Disabled from Registry",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Detect Windows Allow Firewall Rule Addition/Modification",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Detect New Scheduled Task Creation that Run Executables From Non-Standard Location",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Detect File Creation in Startup Folder",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Detect Files with Ramsomware Extensions",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Detect New Scheduled Task Entry Creations",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Detect Modification to System Files or Directories by User Accounts",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query searches for modifications to system files or directories by a non system account (User Account). This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Executable Files Created in Uncommon Locations",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackEvents_CL CiscoSecureEndpoint_CL TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
}
]
},
{
"name": "watchlists",
"label": "Watchlists",
"subLabel": {
"preValidation": "Configure the watchlists",
"postValidation": "Done"
},
"bladeTitle": "Watchlists",
"elements": [
{
"name": "watchlists-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.",
"link": {
"label": "Learn more",
"uri": "https://aka.ms/sentinelwatchlists"
}
}
},
{
"name": "watchlist1",
"type": "Microsoft.Common.Section",
"label": "Ransomware File Extensions",
"elements": [
{
"name": "watchlist1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This watchlist contains a list of file extensions that are commonly used by ransomware. Add additional file extensions to this watchlist as required."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

2131
Solutions/Malware Protection Essentials/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

40
Solutions/Malware Protection Essentials/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,40 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"watchlist1-id": {
"type": "string",
"defaultValue": "RansomwareFileExtensions",
"minLength": 1,
"metadata": {
"description": "Unique id for the watchlist"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Malware Protection Essentials",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

3
Solutions/Malware Protection Essentials/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------|
|3.0.0 |21-12-2023 |Initial Solution Release|

20
Solutions/Malware Protection Essentials/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-malwareprotection",
"firstPublishDate": "2023-09-25",
"lastPublishDate": "2023-09-25",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

202
Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.csv Normal file
Просмотреть файл

@ -0,0 +1,202 @@
FileExtension,Description,Enabled
_AiraCropEncrypted,AiraCrop Ransomware affecte file,Yes
1cbu1,Princess Locker ransomware affected file,Yes
1txt,Enigma ransomware affected file,Yes
73i87A,Xorist Ransomware affected data,Yes
a5zfn,Alma Locker ransomware affected data,Yes
aaa,TeslaCrypt ransomware encrypted data,No
abc,TeslaCrypt ransomware encrypted data,Yes
adk,Angry Duck ransomware affected file,Yes
aesir,Locky ransomware affected file,Yes
alcatraz,Alcatraz Locker ransomware affected file,Yes
angelamerkel,Angela Merkel ransomware affected file,Yes
AngleWare,HiddenTear/MafiaWare (variant) ransomware affected file,Yes
antihacker2017,Xorist (variant) Ransomware affected file,Yes
atlas,Atlas ransomware affected file,Yes
axx,AxCrypt encrypted data,Yes
BarRax,BarRax (HiddenTear variant) ransomware affected file,Yes
bin,Alpha/Alfa ransomware affected data,No
bitstak,Bitstak ransomware affected data,Yes
braincrypt,Braincrypt ransomware affected file,Yes
breaking_bad,Files1147@gmail(.)com ransomware affected data,Yes
bript,BadEncriptor ransomware affected file,Yes
btc,Jigsaw Ransomware affected data,Yes
ccc,TeslaCrypt or Cryptowall encrypted data,No
CCCRRRPPP,Unlock92 ransomware affected data,Yes
cerber,Cerber ransomware affected data,Yes
cerber2,Cerber 2 ransomware affected file,Yes
cerber3,Cerber 3 ransomware affected data,Yes
coded,Anubis ransomware affected file,Yes
comrade,Comrade ransomware affected file,Yes
conficker,Conficker ransomware affected file,Yes
coverton,Coverton ransomware affected data,Yes
covid19,Phishing / ransomware file,Yes
covid-19,Phishing / ransomware file,Yes
crab,GandCrab ransomware affected data,Yes
crinf,DecryptorMax or CryptInfinite ransomware affected data,Yes
crjoker,CryptoJoker ransomware affected data,Yes
crptrgr,CryptoRoger ransomware affected data,Yes
cry,CryLocker ransomware affected data,Yes
cryeye,DoubleLocker ransomware affected data,Yes
cryp1,CryptXXX ransomware affected data,Yes
crypt,Scatter ransomware affected data,Yes
crypte,Jigsaw (variant) ransomware affected file,Yes
crypted,Nemucod ransomware affected file,Yes
cryptolocker,CryptoLocker encrypted file,Yes
cryptowall,Encrypted file by Cryptowall ransomware,Yes
crypz,CryptXXX ransomware affected data,Yes
czvxce,Coverton ransomware affected file,Yes
d4nk,PyL33T ransomware affected file,Yes
dale,Chip ransomware affected file,Yes
damage,Damage ransomware affected file,Yes
darkness,Rakhni ransomware affected data,Yes
dCrypt,DummyLocker ransomware affected file,Yes
deadbolt,Deadbolt ransomware affected file,Yes
decrypt2017,Globe 3 ransomware affected file,Yes
derp,Derp ransomware renamed file,Yes
Dexter,Troldesh (variant) ransomware affected file,Yes
dharma,CrySiS ransomware affected file,Yes
dll,FSociety ransomware affected file,No
dxxd,DXXD ransomware affected file,Yes
ecc,Cryptolocker or TeslaCrypt virus encrypted file,Yes
edgel,EdgeLocker ransomware affected file,Yes
enc,TorrentLocker ransomware affected file,No
enc,Cryptorium ransomware affected file,No
enciphered,Malware (ransomware) encoded data,Yes
EnCiPhErEd,Xorist Ransomware affected data,Yes
encr,FileLocker ransomware affected file,Yes
encrypt,Alpha ransomware affected data,Yes
encrypted,Various ransomware affected file,Yes
encrypted,Donald Trump ransomware affected file,Yes
encrypted,KeRanger OS X ransomware affected file,Yes
enigma,Coverton ransomware affected data,Yes
evillock,Evil-JS (variant) ransomware affected file,Yes
exotic,Exotic ransomware affected file,Yes
exx,Alpha Crypt encrypted data,Yes
ezz,Alpha Crypt virus encrypted data,Yes
fantom,Fantom ransomware affected data,Yes
file0locked,Evil ransomware affected file,Yes
fucked,Manifestus ransomware affected file,Yes
fun,Jigsaw Ransomware affected data,Yes
fun,Jigsaw (variant) ransomware affected file,Yes
gefickt,Jigsaw (variant) ransomware affected file,Yes
globe,Globe ransomware affected file,Yes
good,Scatter ransomware affected data,Yes
grt,Karmen HiddenTear (variant) ransomware affected file,Yes
ha3,El-Polocker affected file,Yes
helpmeencedfiles,Samas/SamSam ransomware affected file,Yes
herbst,Herbst ransomware affacted data,Yes
hnumkhotep,Globe 3 ransomware affected file,Yes
hush,Jigsaw ransomware affected file,Yes
ifuckedyou,SerbRansom ransomware affected file,Yes
info,PizzaCrypts Ransomware affected data,Yes
kernel_complete,KeRanger OS X ransomware data,Yes
kernel_pid,KeRanger OS X ransomware data,Yes
kernel_time,KeRanger OS X ransomware,Yes
keybtc@inbox_com,KeyBTC ransomware affected data,Yes
kimcilware,KimcilWare ransomware affected data,Yes
kkk,Jigsaw Ransomware affected data,Yes
kostya,Kostya ransomware affected file,Yes
krab,GandCrab v4 ransomware affected data,Yes
kraken,Rakhni ransomware affected file,Yes
kratos,KratosCrypt ransomware affected data,Yes
kyra,Globe ransomware affected file,Yes
lcked,Jigsaw (variant) ransomware affected file,Yes
LeChiffre,LeChiffre ransomware affected data,Yes
legion,Legion ransomware affected data,Yes
lesli,CryptoMix ransomware affected file,Yes
lock93,Lock93 ransomware affected file,Yes
locked,Various ransomware affected data,Yes
locklock,LockLock ransomware affected data,Yes
locky,Locky ransomware affected data,Yes
lol!,GPCode ransomware affected data,Yes
loli,LOLI RanSomeWare ransomware affected file,Yes
lovewindows,Globe (variant) ransomware affected file,Yes
madebyadam,Roga ransomware affected file,Yes
magic,Magic ransomware affected data,Yes
maya,HiddenTear (variant) ransomware affected file,Yes
MERRY,Merry X-Mas ransomware affected file,Yes
micro,TeslaCrypt 3.0 ransomware encrypted data,Yes
mole,CryptoMix (variant) ransomware affected data,Yes
mp3,TeslaCrypt 3.0 ransomware encrypted data,No
MRCR1,Merry X-Mas ransomware affected file,Yes
noproblemwedecfiles,Samas/SamSam ransomware affected file,Yes
nuclear55,Nuke ransomware affected file,Yes
odcodc,ODCODC ransomware affected file,Yes
odin,Locky ransomware affected file,Yes
onion,Dharma ransomware affected data,Yes
oops,Marlboro ransomware affected file,Yes
osiris,Locky (variant) ransomware affected data,Yes
p5tkjw,Xorist Ransomware affected data,Yes
padcrypt,PadCrypt ransomware affected data,Yes
paym,Jigsaw Ransomware affected data,Yes
paymrss,Jigsaw Ransomware affected file,Yes
payms,Jigsaw Ransomware affected file,Yes
paymst,Jigsaw Ransomware affected file,Yes
paymts,Jigsaw Ransomware affected file,Yes
payrms,Jigsaw Ransomware affected file,Yes
pays,Jigsaw Ransomware affected data,Yes
pdcr,PadCrypt Ransomware script,Yes
pec,PEC 2017 ransomware affected file,Yes
PEGS1,Merry X-Mas ransomware affected file,Yes
perl,Bart ransomware affected file,Yes
PoAr2w,Xorist Ransomware affected file,Yes
potato,Potato ransomware affected file,Yes
powerfulldecrypt,Samas/SamSam ransomware affected file,Yes
pubg,PUBG ransomware affected data,Yes
purge,Globe ransomware affected file,Yes
pzdc,Scatter ransomware affected data,Yes
R16m01d05,Ransomware affected data,Yes
r5a,7ev3n ransomware affected file,Yes
raid10,Globe [variant] ransomware affected file,Yes
RARE1,Merry X-Mas ransomware affected file,Yes
razy,Razy ransomware affected data,Yes
rdm,Radamant ransomware affected file,Yes
realfs0ciety@sigaint.org.fs0ciety,Fsociety ransomware affected file,Yes
reco,STOP/DJVU ransomware file,Yes
rekt,HiddenTear (variant) ransomware affected file,Yes
rekt,RektLocker ransomware affected data,Yes
remk,STOP Ransomware variant,Yes
rip,KillLocker ransomware affected file,Yes
RMCM1,Merry X-Mas ransomware affected file,Yes
rmd,Zeta ransomware affected file,Yes
rnsmwr,Gremit ransomware affected file,Yes
rokku,Rokku ransomware affected data,Yes
rrk,Radamant v2 ransomware affected file,Yes
ruby,Ruby ransomware affected file,Yes
sage,Sage ransomware affected data,Yes
SecureCrypted,Apocalypse ransomware affected file,Yes
serp,Serpent (variant) ransomware affected file,Yes
serpent,Serpent ransomware affected file,Yes
sexy,PayDay ransomware affected files,Yes
shit,Locky ransomware affected file,Yes
spora,Spora ransomware affected file,Yes
stn,Satan ransomware affected file,Yes
surprise,Surprise ransomware affected data,Yes
szf,SZFLocker ransomware affected data,Yes
theworldisyours,Samas/SamSam ransomware affected file,Yes
thor,Locky ransomware affected file,Yes
ttt,TeslaCrypt 3.0 ransomware encrypted data,Yes
unavailable,Al-Namrood ransomware affected file,Yes
vbransom,VBRansom 7 ransomware affected file,Yes
venusf,Venus Locker ransomware affected file,Yes
VforVendetta,Samsam (variant) ransomware affected file,Yes
vindows,Vindows Locker ransomware affected file,Yes
vvv,TeslaCrypt 3.0 ransomware encrypted data,Yes
vxlock,vxLock ransomware affected file,Yes
wallet,Globe 3 (variant) ransomware affected file,Yes
wcry,WannaCry ransomware affected file,Yes
wflx,WildFire ransomware affected file,Yes
Whereisyourfiles,Samas/SamSam ransomware affected file,Yes
windows10,Shade ransomware affected data,Yes
wncry,Wana Decrypt0r 2.0 ransomware affected data,Yes
xxx,TeslaCrypt 3.0 ransomware encrypted file,Yes
xxx,help_dcfile ransomware affected file,Yes
xyz,TeslaCrypt ransomware encrypted data,No
ytbl,Troldesh (variant) ransomware affected file,Yes
zcrypt,ZCRYPT ransomware affected data,Yes
zepto,Locky ransomware affected data,Yes
zorro,Zorro ransomware affected file,Yes
zyklon,ZYKLON ransomware affected data,Yes
zzz,TeslaCrypt ransomware encrypted data,Yes
zzzzz,Locky ransomware affected file,Yes
1 FileExtension Description Enabled
2 _AiraCropEncrypted AiraCrop Ransomware affecte file Yes
3 1cbu1 Princess Locker ransomware affected file Yes
4 1txt Enigma ransomware affected file Yes
5 73i87A Xorist Ransomware affected data Yes
6 a5zfn Alma Locker ransomware affected data Yes
7 aaa TeslaCrypt ransomware encrypted data No
8 abc TeslaCrypt ransomware encrypted data Yes
9 adk Angry Duck ransomware affected file Yes
10 aesir Locky ransomware affected file Yes
11 alcatraz Alcatraz Locker ransomware affected file Yes
12 angelamerkel Angela Merkel ransomware affected file Yes
13 AngleWare HiddenTear/MafiaWare (variant) ransomware affected file Yes
14 antihacker2017 Xorist (variant) Ransomware affected file Yes
15 atlas Atlas ransomware affected file Yes
16 axx AxCrypt encrypted data Yes
17 BarRax BarRax (HiddenTear variant) ransomware affected file Yes
18 bin Alpha/Alfa ransomware affected data No
19 bitstak Bitstak ransomware affected data Yes
20 braincrypt Braincrypt ransomware affected file Yes
21 breaking_bad Files1147@gmail(.)com ransomware affected data Yes
22 bript BadEncriptor ransomware affected file Yes
23 btc Jigsaw Ransomware affected data Yes
24 ccc TeslaCrypt or Cryptowall encrypted data No
25 CCCRRRPPP Unlock92 ransomware affected data Yes
26 cerber Cerber ransomware affected data Yes
27 cerber2 Cerber 2 ransomware affected file Yes
28 cerber3 Cerber 3 ransomware affected data Yes
29 coded Anubis ransomware affected file Yes
30 comrade Comrade ransomware affected file Yes
31 conficker Conficker ransomware affected file Yes
32 coverton Coverton ransomware affected data Yes
33 covid19 Phishing / ransomware file Yes
34 covid-19 Phishing / ransomware file Yes
35 crab GandCrab ransomware affected data Yes
36 crinf DecryptorMax or CryptInfinite ransomware affected data Yes
37 crjoker CryptoJoker ransomware affected data Yes
38 crptrgr CryptoRoger ransomware affected data Yes
39 cry CryLocker ransomware affected data Yes
40 cryeye DoubleLocker ransomware affected data Yes
41 cryp1 CryptXXX ransomware affected data Yes
42 crypt Scatter ransomware affected data Yes
43 crypte Jigsaw (variant) ransomware affected file Yes
44 crypted Nemucod ransomware affected file Yes
45 cryptolocker CryptoLocker encrypted file Yes
46 cryptowall Encrypted file by Cryptowall ransomware Yes
47 crypz CryptXXX ransomware affected data Yes
48 czvxce Coverton ransomware affected file Yes
49 d4nk PyL33T ransomware affected file Yes
50 dale Chip ransomware affected file Yes
51 damage Damage ransomware affected file Yes
52 darkness Rakhni ransomware affected data Yes
53 dCrypt DummyLocker ransomware affected file Yes
54 deadbolt Deadbolt ransomware affected file Yes
55 decrypt2017 Globe 3 ransomware affected file Yes
56 derp Derp ransomware renamed file Yes
57 Dexter Troldesh (variant) ransomware affected file Yes
58 dharma CrySiS ransomware affected file Yes
59 dll FSociety ransomware affected file No
60 dxxd DXXD ransomware affected file Yes
61 ecc Cryptolocker or TeslaCrypt virus encrypted file Yes
62 edgel EdgeLocker ransomware affected file Yes
63 enc TorrentLocker ransomware affected file No
64 enc Cryptorium ransomware affected file No
65 enciphered Malware (ransomware) encoded data Yes
66 EnCiPhErEd Xorist Ransomware affected data Yes
67 encr FileLocker ransomware affected file Yes
68 encrypt Alpha ransomware affected data Yes
69 encrypted Various ransomware affected file Yes
70 encrypted Donald Trump ransomware affected file Yes
71 encrypted KeRanger OS X ransomware affected file Yes
72 enigma Coverton ransomware affected data Yes
73 evillock Evil-JS (variant) ransomware affected file Yes
74 exotic Exotic ransomware affected file Yes
75 exx Alpha Crypt encrypted data Yes
76 ezz Alpha Crypt virus encrypted data Yes
77 fantom Fantom ransomware affected data Yes
78 file0locked Evil ransomware affected file Yes
79 fucked Manifestus ransomware affected file Yes
80 fun Jigsaw Ransomware affected data Yes
81 fun Jigsaw (variant) ransomware affected file Yes
82 gefickt Jigsaw (variant) ransomware affected file Yes
83 globe Globe ransomware affected file Yes
84 good Scatter ransomware affected data Yes
85 grt Karmen HiddenTear (variant) ransomware affected file Yes
86 ha3 El-Polocker affected file Yes
87 helpmeencedfiles Samas/SamSam ransomware affected file Yes
88 herbst Herbst ransomware affacted data Yes
89 hnumkhotep Globe 3 ransomware affected file Yes
90 hush Jigsaw ransomware affected file Yes
91 ifuckedyou SerbRansom ransomware affected file Yes
92 info PizzaCrypts Ransomware affected data Yes
93 kernel_complete KeRanger OS X ransomware data Yes
94 kernel_pid KeRanger OS X ransomware data Yes
95 kernel_time KeRanger OS X ransomware Yes
96 keybtc@inbox_com KeyBTC ransomware affected data Yes
97 kimcilware KimcilWare ransomware affected data Yes
98 kkk Jigsaw Ransomware affected data Yes
99 kostya Kostya ransomware affected file Yes
100 krab GandCrab v4 ransomware affected data Yes
101 kraken Rakhni ransomware affected file Yes
102 kratos KratosCrypt ransomware affected data Yes
103 kyra Globe ransomware affected file Yes
104 lcked Jigsaw (variant) ransomware affected file Yes
105 LeChiffre LeChiffre ransomware affected data Yes
106 legion Legion ransomware affected data Yes
107 lesli CryptoMix ransomware affected file Yes
108 lock93 Lock93 ransomware affected file Yes
109 locked Various ransomware affected data Yes
110 locklock LockLock ransomware affected data Yes
111 locky Locky ransomware affected data Yes
112 lol! GPCode ransomware affected data Yes
113 loli LOLI RanSomeWare ransomware affected file Yes
114 lovewindows Globe (variant) ransomware affected file Yes
115 madebyadam Roga ransomware affected file Yes
116 magic Magic ransomware affected data Yes
117 maya HiddenTear (variant) ransomware affected file Yes
118 MERRY Merry X-Mas ransomware affected file Yes
119 micro TeslaCrypt 3.0 ransomware encrypted data Yes
120 mole CryptoMix (variant) ransomware affected data Yes
121 mp3 TeslaCrypt 3.0 ransomware encrypted data No
122 MRCR1 Merry X-Mas ransomware affected file Yes
123 noproblemwedecfiles​ Samas/SamSam ransomware affected file Yes
124 nuclear55 Nuke ransomware affected file Yes
125 odcodc ODCODC ransomware affected file Yes
126 odin Locky ransomware affected file Yes
127 onion Dharma ransomware affected data Yes
128 oops Marlboro ransomware affected file Yes
129 osiris Locky (variant) ransomware affected data Yes
130 p5tkjw Xorist Ransomware affected data Yes
131 padcrypt PadCrypt ransomware affected data Yes
132 paym Jigsaw Ransomware affected data Yes
133 paymrss Jigsaw Ransomware affected file Yes
134 payms Jigsaw Ransomware affected file Yes
135 paymst Jigsaw Ransomware affected file Yes
136 paymts Jigsaw Ransomware affected file Yes
137 payrms Jigsaw Ransomware affected file Yes
138 pays Jigsaw Ransomware affected data Yes
139 pdcr PadCrypt Ransomware script Yes
140 pec PEC 2017 ransomware affected file Yes
141 PEGS1 Merry X-Mas ransomware affected file Yes
142 perl Bart ransomware affected file Yes
143 PoAr2w Xorist Ransomware affected file Yes
144 potato Potato ransomware affected file Yes
145 powerfulldecrypt Samas/SamSam ransomware affected file Yes
146 pubg PUBG ransomware affected data Yes
147 purge Globe ransomware affected file Yes
148 pzdc Scatter ransomware affected data Yes
149 R16m01d05 Ransomware affected data Yes
150 r5a 7ev3n ransomware affected file Yes
151 raid10 Globe [variant] ransomware affected file Yes
152 RARE1 Merry X-Mas ransomware affected file Yes
153 razy Razy ransomware affected data Yes
154 rdm Radamant ransomware affected file Yes
155 realfs0ciety@sigaint.org.fs0ciety Fsociety ransomware affected file Yes
156 reco STOP/DJVU ransomware file Yes
157 rekt HiddenTear (variant) ransomware affected file Yes
158 rekt RektLocker ransomware affected data Yes
159 remk STOP Ransomware variant Yes
160 rip KillLocker ransomware affected file Yes
161 RMCM1 Merry X-Mas ransomware affected file Yes
162 rmd Zeta ransomware affected file Yes
163 rnsmwr Gremit ransomware affected file Yes
164 rokku Rokku ransomware affected data Yes
165 rrk Radamant v2 ransomware affected file Yes
166 ruby Ruby ransomware affected file Yes
167 sage Sage ransomware affected data Yes
168 SecureCrypted Apocalypse ransomware affected file Yes
169 serp Serpent (variant) ransomware affected file Yes
170 serpent Serpent ransomware affected file Yes
171 sexy PayDay ransomware affected files Yes
172 shit Locky ransomware affected file Yes
173 spora Spora ransomware affected file Yes
174 stn Satan ransomware affected file Yes
175 surprise Surprise ransomware affected data Yes
176 szf SZFLocker ransomware affected data Yes
177 theworldisyours Samas/SamSam ransomware affected file Yes
178 thor Locky ransomware affected file Yes
179 ttt TeslaCrypt 3.0 ransomware encrypted data Yes
180 unavailable Al-Namrood ransomware affected file Yes
181 vbransom VBRansom 7 ransomware affected file Yes
182 venusf Venus Locker ransomware affected file Yes
183 VforVendetta Samsam (variant) ransomware affected file Yes
184 vindows Vindows Locker ransomware affected file Yes
185 vvv TeslaCrypt 3.0 ransomware encrypted data Yes
186 vxlock vxLock ransomware affected file Yes
187 wallet Globe 3 (variant) ransomware affected file Yes
188 wcry WannaCry ransomware affected file Yes
189 wflx WildFire ransomware affected file Yes
190 Whereisyourfiles Samas/SamSam ransomware affected file Yes
191 windows10 Shade ransomware affected data Yes
192 wncry Wana Decrypt0r 2.0 ransomware affected data Yes
193 xxx TeslaCrypt 3.0 ransomware encrypted file Yes
194 xxx help_dcfile ransomware affected file Yes
195 xyz TeslaCrypt ransomware encrypted data No
196 ytbl Troldesh (variant) ransomware affected file Yes
197 zcrypt ZCRYPT ransomware affected data Yes
198 zepto Locky ransomware affected data Yes
199 zorro Zorro ransomware affected file Yes
200 zyklon ZYKLON ransomware affected data Yes
201 zzz TeslaCrypt ransomware encrypted data Yes
202 zzzzz Locky ransomware affected file Yes

32
Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Двоичные данные
Solutions/Malware Protection Essentials/Workbooks/Images/Preview/MalwareProtectionEssentialsBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 242 KiB

Двоичные данные
Solutions/Malware Protection Essentials/Workbooks/Images/Preview/MalwareProtectionEssentialsWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 238 KiB

541
Solutions/Malware Protection Essentials/Workbooks/MalwareProtectionEssentialsWorkbook.json Normal file
Просмотреть файл

@ -0,0 +1,541 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Malware Protection Essentials (Preview)\n---\n\nThis wokbook provide details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.\n\n\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "c470616d-5af0-483a-a595-28a684d878a1",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "f0450560-ef16-4aa9-a3ad-7485dd909587",
"version": "KqlParameterItem/1.0",
"name": "Help",
"type": 10,
"isRequired": true,
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
"label": "Show Help"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 1,
"content": {
"json": "\r\n|File|Process|Registry|\r\n|------|-------|----|\r\n|Files Created in Startup Folders|List of Suspicious Processes Created with Base64 CommandLine Argumnet|Startup Registry Creation/Moification|\r\n|Top 10 Hosts where Files Created in Startup Folders|Top 10 Devices with Suspicious Process|Top 10 Devices with Most Startup Registry Modification|\r\n|Top 10 Accounts to Create Files in Startup Folders|Top 10 Processes with Suspicious CommandLine|Top 10 Users with Most Startup Registry Modification|\r\n|List of Scheduled Task Created with Encoded Command|List of Backup Deletion Acitivties using LOL Binaries|Windows Update Disabled Devices|\r\n|Top 10 Processes Creating Scheduled Task with Encoded Command|Top 10 Devices with Most Backup Deletion Activity|Windows Firewall Allow Rule Addition Events|\r\n|Top 10 Users Creating Scheduled Task with Encoded Command|List of Processes Started from Unusual Locations|Top 10 Devices with Most Windows Firewall Allow Rule Addition|\r\n||Top 10 Devices where Processes Started from Unusual Locations|Top 10 Users to add Windows Firewall Allow Rule|"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "3d902e84-3e5b-4631-85d1-c229ec2abf75",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "File Activity",
"subTarget": "File",
"style": "link"
},
{
"id": "bbc20288-b398-4f63-b7a9-e3830213bb34",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Process Activity",
"subTarget": "Process",
"style": "link"
},
{
"id": "edab4a44-8ca3-4ba1-bede-4186f4376d28",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Registry Activity",
"subTarget": "Registry",
"style": "link"
}
]
},
"name": "links - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData",
"size": 0,
"title": "Startup Registry Creation/Moification {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"name": "RegistryActivity-Startup1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by DvcHostname\r\n| take 10",
"size": 0,
"title": "Top 10 Devices with Most Startup Registry Modification {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "RegistryActivity-Startup2",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by ActorUsername\r\n| take 10",
"size": 0,
"title": "Top 10 Users with Most Startup Registry Modification {TimeRange}",
"noDataMessage": "No Data for given TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "RegistryActivity-Startup3",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " let windowsUpdateRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (windowsUpdateRegistryList) \r\n | where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData",
"size": 0,
"title": "Windows Update Disabled Devices {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "RegistryActivity-WindowsUpdate1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData",
"size": 0,
"title": "Windows Firewall Allow Rule Addition Events {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "RegistryActivity-WindowsFirewall1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by DvcHostname\r\n| take 10",
"size": 0,
"title": "Top 10 Devices with Most Windows Firewall Allow Rule Addition {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "RegistryActivity-WindowsFirewall2",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by ActorUsername\r\n| take 10",
"size": 0,
"title": "Top 10 Users to add Windows Firewall Allow Rule {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "RegistryActivity-WindowsFirewall2 - Copy",
"styleSettings": {
"maxWidth": "50%"
}
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Registry"
},
"name": "groupRegistry"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_ProcessEvent\r\n | where EventType == 'ProcessCreated'\r\n | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine",
"size": 0,
"title": "List of Suspicious Processes Created with Base64 CommandLine Argumnet {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "ProcessActivity-SuspiciousProcess1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n| where strlen(CommandLineArgs) > 0\r\n| mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count ",
"size": 0,
"title": "Top 10 Devices with Suspicious Process {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "ProcessActivity-SuspiciousProcess2",
"styleSettings": {
"margin": "50",
"padding": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n| where strlen(CommandLineArgs) > 0\r\n| mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine\r\n| summarize Count=count() by TargetProcessName\r\n| top 10 by Count ",
"size": 0,
"title": "Top 10 Processes with Suspicious CommandLine {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "RegistryActivity-SuspiciousProcess3",
"styleSettings": {
"margin": "50",
"padding": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " _ASim_ProcessEvent\r\n | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\r\n | where CommandLine has_all ('delete', 'shadow')\r\n | union isfuzzy=True \r\n (imProcess\r\n | where TargetProcessFilename =~ 'bcedit.exe'\r\n | where CommandLine has_all ('/set', 'recoveryenabled no')\r\n )\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName",
"size": 0,
"title": "List of Backup Deletion Acitivties using LOL Binaries {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "ProcessActivity-BackupDeletion1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_ProcessEvent\r\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\r\n| where CommandLine has_all ('delete', 'shadow')\r\n| union isfuzzy=True \r\n (imProcess\r\n | where TargetProcessFilename =~ 'bcedit.exe'\r\n | where CommandLine has_all ('/set', 'recoveryenabled no')\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count ",
"size": 0,
"title": "Top 10 Devices with Most Backup Deletion Activity {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"name": "ProcessActivity-BackupDeletion2",
"styleSettings": {
"margin": "50",
"padding": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let fileLocations = dynamic([\r\n '\\\\AppData\\\\Local\\\\Temp\\\\',\r\n '\\\\Recycle Bin\\\\'\r\n ]);\r\n_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\r\n| project\r\n TimeGenerated,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain",
"size": 0,
"title": "List of Processes Started from Unusual Locations {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"name": "ProcessActivity-MaliciousProcessLocation1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let fileLocations = dynamic([\r\n '\\\\AppData\\\\Local\\\\Temp\\\\',\r\n '\\\\Recycle Bin\\\\'\r\n ]);\r\n_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\r\n| project\r\n TimeGenerated,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count",
"size": 0,
"title": "Top 10 Devices where Processes Started from Unusual Locations {TimeRange}",
"noDataMessage": "No Data for this Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"name": "ProcessActivity-MaliciousProcessLocation2"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Process"
},
"name": "groupProcess"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcDomain, User, DvcId, TenantId, Process, CommandLine",
"size": 0,
"title": "Files Created in Startup Folders {TimeRange}",
"noDataMessage": "No Data for Given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"showPin": false,
"name": "FileActivity-Startup1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine\r\n | summarize Count=count() by DvcHostname\r\n | top 10 by Count",
"size": 0,
"title": "Top 10 Hosts where Files Created in Startup Folders {TimeRange}",
"noDataMessage": "No Data for Given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "unstackedbar"
},
"customWidth": "50",
"name": "FileActivity-Startup2",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine, ActorUsername\r\n | summarize Count=count() by ActorUsername\r\n | top 10 by Count",
"size": 0,
"title": "Top 10 Accounts to Create Files in Startup Folders {TimeRange}",
"noDataMessage": "No Data for Given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "FileActivity-Startup3",
"styleSettings": {
"maxWidth": "50%"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n",
"size": 0,
"title": "List of Scheduled Task Created with Encoded Command {TimeRange}",
"noDataMessage": "No Data for Given Time Range",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "FileActivity-ScheduledTask1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n| summarize Count=count() by Process\r\n| top 10 by Count",
"size": 0,
"title": "Top 10 Processes Creating Scheduled Task with Encoded Command {TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "FileActivity-ScheduledTask2",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n| summarize Count=count() by User\r\n| top 10 by Count",
"size": 0,
"title": "Top 10 Users Creating Scheduled Task with Encoded Command{TimeRange}",
"noDataMessage": "No Data for given Time Range",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "FileActivity-ScheduledTask3",
"styleSettings": {
"maxWidth": "50"
}
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "File"
},
"name": "groupFile"
}
],
"fromTemplateId": "sentinel-MalwareProtectionEssentials",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Workbooks/Images/Preview/MalwareProtectionEssentialsBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 242 KiB

Двоичные данные
Workbooks/Images/Preview/MalwareProtectionEssentialsWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 238 KiB

15
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -6893,5 +6893,20 @@
"templateRelativePath": "ValenceAlertsWorkbook.json",
"subtitle": "",
"provider": "Valence Security"
},
{
"workbookKey": "MalwareProtectionEssentialsWorkbook",
"logoFileName": "Azure_Sentinel.svg",
"description": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.",
"dataTypesDependencies": ["_ASim_FileEvent", "_ASim_ProcessEvent"],
"previewImagesFileNames": [
"MalwareProtectionEssentialsWhite.png",
"MalwareProtectionEssentialsBlack.png"
],
"version": "1.0.0",
"title": "Malware Protection Essentials",
"templateRelativePath": "MalwareProtectionEssentialsWorkbook.json",
"subtitle": "",
"provider": "Microsoft Sentinel community"
}
]