Packaged solution for adding new HQ

2024-09-20 17:44:35 +05:30 · 2024-09-20 17:44:35 +05:30 · 7aa467a40e
--- a/XDR/Data/Solution_Microsoft
+++ b/XDR/Data/Solution_Microsoft
@ -50,7 +50,6 @@
 	
 	],
  "Hunting Queries" : [
-		"Hunting Queries/Appspot Phishing Abuse.yaml",
 		"Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml",
 		"Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml",
 		"Hunting Queries/EmailDelivered-ToInbox.yaml",
@ -120,7 +119,93 @@
 		"Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml",
 		"Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml",
 		"Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml",
-		"Hunting Queries/Ransomware/LaZagneCredTheft.yaml"
+		"Hunting Queries/Ransomware/LaZagneCredTheft.yaml",
+		"Hunting Queries/Email Queries/Attachment/ATP policy status check.yaml",
+		"Hunting Queries/Email Queries/Attachment/JNLP attachment.yaml",
+		"Hunting Queries/Email Queries/Attachment/Safe attachment detection.yaml",
+		"Hunting Queries/Email Queries/Authentication/Authentication failures.yaml",
+		"Hunting Queries/Email Queries/Authentication/Spoof attempts with auth failure.yaml",
+		"Hunting Queries/Email Queries/General/Audit Email Preview-Download action.yaml",
+		"Hunting Queries/Email Queries/General/Hunt for TABL changes.yaml",
+		"Hunting Queries/Email Queries/General/Local time to UTC time conversion.yaml",
+		"Hunting Queries/Email Queries/General/MDO daily detection summary report.yaml",
+		"Hunting Queries/Email Queries/General/Mail item accessed.yaml",
+		"Hunting Queries/Email Queries/General/Malicious email senders.yaml",
+		"Hunting Queries/Email Queries/General/New TABL Items.yaml",
+		"Hunting Queries/Email Queries/Hunting/Emails containing links to IP addresses.yaml",
+		"Hunting Queries/Email Queries/Hunting/Good emails from senders with bad patterns.yaml",
+		"Hunting Queries/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml",
+		"Hunting Queries/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml",
+		"Hunting Queries/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml",
+		"Hunting Queries/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml",
+		"Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML",
+		"Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML",
+		"Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML",
+		"Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML",
+		"Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML",
+		"Hunting Queries/Email Queries/Mailflow/Detections by detection methods.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Mail reply to new domain.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Mailflow by directionality.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Malicious emails detected per day.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Sender recipient contact establishment.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Top 100 malicious email senders.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Top 100 senders.yaml",
+		"Hunting Queries/Email Queries/Mailflow/Zero day threats.yaml",
+		"Hunting Queries/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml",
+		"Hunting Queries/Email Queries/Malware/Email containing malware sent by an internal sender.yaml",
+		"Hunting Queries/Email Queries/Malware/Email malware detection report.yaml",
+		"Hunting Queries/Email Queries/Malware/Malware detections by detection methods.yaml",
+		"Hunting Queries/Email Queries/Overrides/Admin overrides.yaml",
+		"Hunting Queries/Email Queries/Overrides/Top policies performing admin overrides.yaml",
+		"Hunting Queries/Email Queries/Overrides/Top policies performing user overrides.yaml",
+		"Hunting Queries/Email Queries/Overrides/User overrides.yaml",
+		"Hunting Queries/Email Queries/Phish/Appspot phishing abuse.yaml",
+		"Hunting Queries/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml",
+		"Hunting Queries/Email Queries/QR code/Campaign with randomly named attachments.yaml",
+		"Hunting Queries/Email Queries/QR code/Campaign with suspicious keywords.yaml",
+		"Hunting Queries/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml",
+		"Hunting Queries/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml",
+		"Hunting Queries/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml",
+		"Hunting Queries/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml",
+		"Hunting Queries/Email Queries/QR code/Hunting for sender patterns.yaml",
+		"Hunting Queries/Email Queries/QR code/Hunting for user signals-clusters.yaml",
+		"Hunting Queries/Email Queries/QR code/Inbound emails with QR code URLs.yaml",
+		"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml",
+		"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml",
+		"Hunting Queries/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml",
+		"Hunting Queries/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml",
+		"Hunting Queries/Email Queries/Quarantine/Group quarantine release.yaml",
+		"Hunting Queries/Email Queries/Quarantine/High Confidence Phish Released.yaml",
+		"Hunting Queries/Email Queries/Quarantine/Quarantine Release Email Details.yaml",
+		"Hunting Queries/Email Queries/Quarantine/Quarantine release trend.yaml",
+		"Hunting Queries/Email Queries/Remediation/Email remediation action list.yaml",
+		"Hunting Queries/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml",
+		"Hunting Queries/Email Queries/Spoof and Impersonation/Referral phish emails.yaml",
+		"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml",
+		"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml",
+		"Hunting Queries/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml",
+		"Hunting Queries/Email Queries/Submissions/Admin reported submissions.yaml",
+		"Hunting Queries/Email Queries/Submissions/Status of submissions.yaml",
+		"Hunting Queries/Email Queries/Submissions/Top submitters of admin submissions.yaml",
+		"Hunting Queries/Email Queries/Submissions/Top submitters of user submissions.yaml",
+		"Hunting Queries/Email Queries/Submissions/User reported submissions.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Attacked more than x times average.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Top external malicious senders.yaml",
+		"Hunting Queries/Email Queries/Top Attacks/Top targeted users.yaml",
+		"Hunting Queries/Email Queries/URL Click/End user malicious clicks.yaml",
+		"Hunting Queries/Email Queries/URL Click/URL click count by click action.yaml",
+		"Hunting Queries/Email Queries/URL Click/URL click on ZAP Email.yaml",
+		"Hunting Queries/Email Queries/URL Click/URL clicks actions by URL.yaml",
+		"Hunting Queries/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml",
+		"Hunting Queries/Email Queries/URL Click/User clicked through events.yaml",
+		"Hunting Queries/Email Queries/URL Click/User clicks on malicious inbound emails.yaml",
+		"Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml",
+		"Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml",
+		"Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml",
+		"Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml"
  ],
  "Workbooks" : [
 		"Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json",
@ -128,7 +213,7 @@
 		"Workbooks/MicrosoftDefenderForIdentity.json"
 	],
  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
-  "Version": "3.0.8",
+  "Version": "3.0.9",
  "Metadata": "SolutionMetadata.json",
  "TemplateSpec": true,
  "StaticDataConnectorIds": [
--- a/XDR/Package/3.0.9.zip
+++ b/XDR/Package/3.0.9.zip
--- a/XDR/Package/createUiDefinition.json
+++ b/XDR/Package/createUiDefinition.json
--- a/XDR/Package/mainTemplate.json
+++ b/XDR/Package/mainTemplate.json
--- a/XDR/ReleaseNotes.md
+++ b/XDR/ReleaseNotes.md
@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                    |
 |-------------|--------------------------------|---------------------------------------------------------------------------------------|
+| 3.0.9       | 20-09-2024                     | Added New **Hunting Queries**				   |
 | 3.0.8       | 10-06-2024                     | Added missing AMA **Data Connector** reference in **Analytic rules**				   | 
 | 3.0.7       | 29-05-2024                     | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml				   | 
 | 3.0.6       | 13-05-2024                     | Updated queried to use Signinlogs table                               				   |