Packaged solution for adding new HQ

This commit is contained in:
v-shukore 2024-09-20 17:44:35 +05:30
Родитель 55edb1a298
Коммит 7aa467a40e
5 изменённых файлов: 10543 добавлений и 1191 удалений

Просмотреть файл

@ -50,7 +50,6 @@
], ],
"Hunting Queries" : [ "Hunting Queries" : [
"Hunting Queries/Appspot Phishing Abuse.yaml",
"Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml", "Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml",
"Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml", "Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml",
"Hunting Queries/EmailDelivered-ToInbox.yaml", "Hunting Queries/EmailDelivered-ToInbox.yaml",
@ -120,7 +119,93 @@
"Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml", "Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml",
"Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml", "Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml",
"Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", "Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml",
"Hunting Queries/Ransomware/LaZagneCredTheft.yaml" "Hunting Queries/Ransomware/LaZagneCredTheft.yaml",
"Hunting Queries/Email Queries/Attachment/ATP policy status check.yaml",
"Hunting Queries/Email Queries/Attachment/JNLP attachment.yaml",
"Hunting Queries/Email Queries/Attachment/Safe attachment detection.yaml",
"Hunting Queries/Email Queries/Authentication/Authentication failures.yaml",
"Hunting Queries/Email Queries/Authentication/Spoof attempts with auth failure.yaml",
"Hunting Queries/Email Queries/General/Audit Email Preview-Download action.yaml",
"Hunting Queries/Email Queries/General/Hunt for TABL changes.yaml",
"Hunting Queries/Email Queries/General/Local time to UTC time conversion.yaml",
"Hunting Queries/Email Queries/General/MDO daily detection summary report.yaml",
"Hunting Queries/Email Queries/General/Mail item accessed.yaml",
"Hunting Queries/Email Queries/General/Malicious email senders.yaml",
"Hunting Queries/Email Queries/General/New TABL Items.yaml",
"Hunting Queries/Email Queries/Hunting/Emails containing links to IP addresses.yaml",
"Hunting Queries/Email Queries/Hunting/Good emails from senders with bad patterns.yaml",
"Hunting Queries/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml",
"Hunting Queries/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml",
"Hunting Queries/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml",
"Hunting Queries/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml",
"Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML",
"Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML",
"Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML",
"Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML",
"Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML",
"Hunting Queries/Email Queries/Mailflow/Detections by detection methods.yaml",
"Hunting Queries/Email Queries/Mailflow/Mail reply to new domain.yaml",
"Hunting Queries/Email Queries/Mailflow/Mailflow by directionality.yaml",
"Hunting Queries/Email Queries/Mailflow/Malicious emails detected per day.yaml",
"Hunting Queries/Email Queries/Mailflow/Sender recipient contact establishment.yaml",
"Hunting Queries/Email Queries/Mailflow/Top 100 malicious email senders.yaml",
"Hunting Queries/Email Queries/Mailflow/Top 100 senders.yaml",
"Hunting Queries/Email Queries/Mailflow/Zero day threats.yaml",
"Hunting Queries/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml",
"Hunting Queries/Email Queries/Malware/Email containing malware sent by an internal sender.yaml",
"Hunting Queries/Email Queries/Malware/Email malware detection report.yaml",
"Hunting Queries/Email Queries/Malware/Malware detections by detection methods.yaml",
"Hunting Queries/Email Queries/Overrides/Admin overrides.yaml",
"Hunting Queries/Email Queries/Overrides/Top policies performing admin overrides.yaml",
"Hunting Queries/Email Queries/Overrides/Top policies performing user overrides.yaml",
"Hunting Queries/Email Queries/Overrides/User overrides.yaml",
"Hunting Queries/Email Queries/Phish/Appspot phishing abuse.yaml",
"Hunting Queries/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml",
"Hunting Queries/Email Queries/QR code/Campaign with randomly named attachments.yaml",
"Hunting Queries/Email Queries/QR code/Campaign with suspicious keywords.yaml",
"Hunting Queries/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml",
"Hunting Queries/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml",
"Hunting Queries/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml",
"Hunting Queries/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml",
"Hunting Queries/Email Queries/QR code/Hunting for sender patterns.yaml",
"Hunting Queries/Email Queries/QR code/Hunting for user signals-clusters.yaml",
"Hunting Queries/Email Queries/QR code/Inbound emails with QR code URLs.yaml",
"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml",
"Hunting Queries/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml",
"Hunting Queries/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml",
"Hunting Queries/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml",
"Hunting Queries/Email Queries/Quarantine/Group quarantine release.yaml",
"Hunting Queries/Email Queries/Quarantine/High Confidence Phish Released.yaml",
"Hunting Queries/Email Queries/Quarantine/Quarantine Release Email Details.yaml",
"Hunting Queries/Email Queries/Quarantine/Quarantine release trend.yaml",
"Hunting Queries/Email Queries/Remediation/Email remediation action list.yaml",
"Hunting Queries/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml",
"Hunting Queries/Email Queries/Spoof and Impersonation/Referral phish emails.yaml",
"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml",
"Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml",
"Hunting Queries/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml",
"Hunting Queries/Email Queries/Submissions/Admin reported submissions.yaml",
"Hunting Queries/Email Queries/Submissions/Status of submissions.yaml",
"Hunting Queries/Email Queries/Submissions/Top submitters of admin submissions.yaml",
"Hunting Queries/Email Queries/Submissions/Top submitters of user submissions.yaml",
"Hunting Queries/Email Queries/Submissions/User reported submissions.yaml",
"Hunting Queries/Email Queries/Top Attacks/Attacked more than x times average.yaml",
"Hunting Queries/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml",
"Hunting Queries/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml",
"Hunting Queries/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml",
"Hunting Queries/Email Queries/Top Attacks/Top external malicious senders.yaml",
"Hunting Queries/Email Queries/Top Attacks/Top targeted users.yaml",
"Hunting Queries/Email Queries/URL Click/End user malicious clicks.yaml",
"Hunting Queries/Email Queries/URL Click/URL click count by click action.yaml",
"Hunting Queries/Email Queries/URL Click/URL click on ZAP Email.yaml",
"Hunting Queries/Email Queries/URL Click/URL clicks actions by URL.yaml",
"Hunting Queries/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml",
"Hunting Queries/Email Queries/URL Click/User clicked through events.yaml",
"Hunting Queries/Email Queries/URL Click/User clicks on malicious inbound emails.yaml",
"Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml",
"Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml",
"Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml",
"Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml"
], ],
"Workbooks" : [ "Workbooks" : [
"Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json",
@ -128,7 +213,7 @@
"Workbooks/MicrosoftDefenderForIdentity.json" "Workbooks/MicrosoftDefenderForIdentity.json"
], ],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
"Version": "3.0.8", "Version": "3.0.9",
"Metadata": "SolutionMetadata.json", "Metadata": "SolutionMetadata.json",
"TemplateSpec": true, "TemplateSpec": true,
"StaticDataConnectorIds": [ "StaticDataConnectorIds": [

Двоичный файл не отображается.

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------------------| |-------------|--------------------------------|---------------------------------------------------------------------------------------|
| 3.0.9 | 20-09-2024 | Added New **Hunting Queries** |
| 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** | | 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
| 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml | | 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml |
| 3.0.6 | 13-05-2024 | Updated queried to use Signinlogs table | | 3.0.6 | 13-05-2024 | Updated queried to use Signinlogs table |