Packaged solution for adding new HQ
This commit is contained in:
Родитель
55edb1a298
Коммит
7aa467a40e
|
@ -50,7 +50,6 @@
|
||||||
|
|
||||||
],
|
],
|
||||||
"Hunting Queries" : [
|
"Hunting Queries" : [
|
||||||
"Hunting Queries/Appspot Phishing Abuse.yaml",
|
|
||||||
"Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml",
|
"Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml",
|
||||||
"Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml",
|
"Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml",
|
||||||
"Hunting Queries/EmailDelivered-ToInbox.yaml",
|
"Hunting Queries/EmailDelivered-ToInbox.yaml",
|
||||||
|
@ -120,7 +119,93 @@
|
||||||
"Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml",
|
"Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml",
|
||||||
"Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml",
|
"Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml",
|
||||||
"Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml",
|
"Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml",
|
||||||
"Hunting Queries/Ransomware/LaZagneCredTheft.yaml"
|
"Hunting Queries/Ransomware/LaZagneCredTheft.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Attachment/ATP policy status check.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Attachment/JNLP attachment.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Attachment/Safe attachment detection.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Authentication/Authentication failures.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Authentication/Spoof attempts with auth failure.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/Audit Email Preview-Download action.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/Hunt for TABL changes.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/Local time to UTC time conversion.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/MDO daily detection summary report.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/Mail item accessed.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/Malicious email senders.yaml",
|
||||||
|
"Hunting Queries/Email Queries/General/New TABL Items.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Emails containing links to IP addresses.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Good emails from senders with bad patterns.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML",
|
||||||
|
"Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Detections by detection methods.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Mail reply to new domain.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Mailflow by directionality.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Malicious emails detected per day.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Sender recipient contact establishment.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Top 100 malicious email senders.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Top 100 senders.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Mailflow/Zero day threats.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Malware/Email containing malware sent by an internal sender.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Malware/Email malware detection report.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Malware/Malware detections by detection methods.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Overrides/Admin overrides.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Overrides/Top policies performing admin overrides.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Overrides/Top policies performing user overrides.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Overrides/User overrides.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Phish/Appspot phishing abuse.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Campaign with randomly named attachments.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Campaign with suspicious keywords.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Hunting for sender patterns.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Hunting for user signals-clusters.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Inbound emails with QR code URLs.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml",
|
||||||
|
"Hunting Queries/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Quarantine/Group quarantine release.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Quarantine/High Confidence Phish Released.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Quarantine/Quarantine Release Email Details.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Quarantine/Quarantine release trend.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Remediation/Email remediation action list.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Spoof and Impersonation/Referral phish emails.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Submissions/Admin reported submissions.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Submissions/Status of submissions.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Submissions/Top submitters of admin submissions.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Submissions/Top submitters of user submissions.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Submissions/User reported submissions.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Attacked more than x times average.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Top external malicious senders.yaml",
|
||||||
|
"Hunting Queries/Email Queries/Top Attacks/Top targeted users.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/End user malicious clicks.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/URL click count by click action.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/URL click on ZAP Email.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/URL clicks actions by URL.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/User clicked through events.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/User clicks on malicious inbound emails.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml",
|
||||||
|
"Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml",
|
||||||
|
"Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml"
|
||||||
],
|
],
|
||||||
"Workbooks" : [
|
"Workbooks" : [
|
||||||
"Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json",
|
"Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json",
|
||||||
|
@ -128,7 +213,7 @@
|
||||||
"Workbooks/MicrosoftDefenderForIdentity.json"
|
"Workbooks/MicrosoftDefenderForIdentity.json"
|
||||||
],
|
],
|
||||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
|
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
|
||||||
"Version": "3.0.8",
|
"Version": "3.0.9",
|
||||||
"Metadata": "SolutionMetadata.json",
|
"Metadata": "SolutionMetadata.json",
|
||||||
"TemplateSpec": true,
|
"TemplateSpec": true,
|
||||||
"StaticDataConnectorIds": [
|
"StaticDataConnectorIds": [
|
||||||
|
|
Двоичные данные
Solutions/Microsoft Defender XDR/Package/3.0.9.zip
Двоичные данные
Solutions/Microsoft Defender XDR/Package/3.0.9.zip
Двоичный файл не отображается.
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -1,5 +1,6 @@
|
||||||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||||
|-------------|--------------------------------|---------------------------------------------------------------------------------------|
|
|-------------|--------------------------------|---------------------------------------------------------------------------------------|
|
||||||
|
| 3.0.9 | 20-09-2024 | Added New **Hunting Queries** |
|
||||||
| 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
|
| 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
|
||||||
| 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml |
|
| 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml |
|
||||||
| 3.0.6 | 13-05-2024 | Updated queried to use Signinlogs table |
|
| 3.0.6 | 13-05-2024 | Updated queried to use Signinlogs table |
|
||||||
|
|
Загрузка…
Ссылка в новой задаче