diff --git a/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml b/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml index 8252f9289a..6f760e2b17 100644 --- a/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml +++ b/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml @@ -18,7 +18,7 @@ query: | | where Data.SettingName in ("PurgeArtifacts", "PurgeRuns") | where Data.NewValue == 0 | project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml b/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml index 617d1cac0b..2e0d415809 100644 --- a/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml +++ b/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml @@ -24,7 +24,7 @@ query: | | where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords) | where Type != "AzureKeyVault" | where Data_Variables !has "IsSecret" - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml b/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml index 3a1aaba609..d868bc03e2 100644 --- a/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml +++ b/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml @@ -32,7 +32,7 @@ query: | | where UserKey !in (historical_data) | project-away UserKey | project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml b/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml index 905bca236e..3ec1ba4fd6 100644 --- a/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml +++ b/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml @@ -13,28 +13,28 @@ tactics: relevantTechniques: - T1199 query: | - // Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example). - let allowed_sources = dynamic(["NuGet Gallery"]); - let allowed_locations = dynamic(["https://api.nuget.org/v3/index.json"]); + // Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example). + let allowed_sources = dynamic(["NuGet Gallery"]); + let allowed_locations = dynamic(["https://api.nuget.org/v3/index.json"]); AzureDevOpsAuditing - // Look for feeds created or modified at either the organization or project level - | where OperationName matches regex "Artifacts.Feed.(Org|Project).Modify" - | where Details has "UpstreamSources, added" - | extend FeedName = tostring(Data.FeedName) - | extend FeedId = tostring(Data.FeedId) - | extend UpstreamsAdded = Data.UpstreamsAdded - // As multiple feeds may be added expand these out - | mv-expand UpstreamsAdded - // Only focus on external feeds - | where UpstreamsAdded.UpstreamSourceType !~ "internal" - | extend SourceLocation = tostring(UpstreamsAdded.Location) - | extend SourceName = tostring(UpstreamsAdded.Name) - // Exclude sources and locations in the allow list - | where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources) - | extend SourceProtocol = tostring(UpstreamsAdded.Protocol) - | extend SourceStatus = tostring(UpstreamsAdded.Status) - | project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + // Look for feeds created or modified at either the organization or project level + | where OperationName matches regex "Artifacts.Feed.(Org|Project).Modify" + | where Details has "UpstreamSources, added" + | extend FeedName = tostring(Data.FeedName) + | extend FeedId = tostring(Data.FeedId) + | extend UpstreamsAdded = Data.UpstreamsAdded + // As multiple feeds may be added expand these out + | mv-expand UpstreamsAdded + // Only focus on external feeds + | where UpstreamsAdded.UpstreamSourceType !~ "internal" + | extend SourceLocation = tostring(UpstreamsAdded.Location) + | extend SourceName = tostring(UpstreamsAdded.Name) + // Exclude sources and locations in the allow list + | where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources) + | extend SourceProtocol = tostring(UpstreamsAdded.Protocol) + | extend SourceStatus = tostring(UpstreamsAdded.Status) + | project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml b/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml index 41d8fa5838..2aabba2330 100644 --- a/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml +++ b/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml @@ -51,7 +51,7 @@ query: | | extend OsDescription = tostring(Data.OsDescription) | extend SystemDetails = Data.SystemCapabilities | project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml b/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml index a45890ae55..448fcffd88 100644 --- a/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml +++ b/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml @@ -24,7 +24,7 @@ query: | | join (AzureDevOpsAuditing | extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId | summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml b/Hunting Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml index cc76fd7590..2077d85a15 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml @@ -13,7 +13,7 @@ query: | | extend ResourceName = tostring(Data.ResourceName) | extend Type = tostring(Data.Type) | project-reorder TimeGenerated, OperationName, ResourceName, Type, ActorUPN, IpAddress, UserAgent - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml b/Hunting Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml index 4604add732..d6f44ea8b9 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml @@ -22,7 +22,7 @@ query: | | extend ReleaseName = tostring(Data.ReleaseName) | project-rename TimeModified = TimeGenerated1, TimeDeleted = TimeGenerated, ModifyOperation = OperationName1, ModifyUser=ActorUPN1, ModifyIP=IpAddress1, ModifyUA= UserAgent1, DeleteOperation=OperationName, DeleteUser=ActorUPN, DeleteIP=IpAddress, DeleteUA=UserAgent | project-reorder TimeModified, ProjectName, PipelineName, ModifyUser, ModifyIP, ModifyUA, TimeDeleted, DeleteOperation, DeleteUser, DeleteIP, DeleteUA,ReleaseName - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml b/Hunting Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml index bb4c004f88..50254ae42c 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml @@ -15,7 +15,7 @@ query: | | extend IsHosted = tostring(Data.IsHosted) | extend IsLegacy = tostring(Data.IsLegacy) | project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml b/Hunting Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml index e1dc106408..28056850d4 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml @@ -18,7 +18,7 @@ query: | | where TimeGenerated > ago(timeframe) | where AuthenticationMechanism startswith "PAT" | where OperationName !in (PAT_Actions) - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml b/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml index 0e27caa5cc..c76d018077 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml @@ -23,7 +23,7 @@ query: | | summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId | extend Alerts = iif(isempty(Alerts), 0, Alerts) | project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml b/Hunting Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml index 9f1bebf8a0..cd28fa7393 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml @@ -27,7 +27,7 @@ query: | | extend StageName = tostring(Data.StageName) | extend ReleaseName = tostring(Data.ReleaseName)) on ActorUPN | project-reorder TimeGenerated, PipelineName, ActorUPN, ApprovalType, StageName, ReleaseName, IpAddress, UserAgent, AuthenticationMechanism - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml b/Hunting Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml index 0e259ed89d..385c05f471 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml @@ -37,7 +37,7 @@ query: | | extend AadUserId = tostring(parse_json(Entities)[0].AadUserId) | summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId | project-reorder TimeGenerated, ProjectName, Details, ActorUPN, IpAddress, UserAgent, Alerts - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: diff --git a/Hunting Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml b/Hunting Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml index 0fc978fedf..8152c7e1ab 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml @@ -26,7 +26,7 @@ query: | | extend VariablesRemoved = set_difference(bag_keys(variables), bag_keys(variables1)) | project-rename TimeCreated=TimeGenerated, TimeDeleted = TimeGenerated1, CreatingUser = ActorUPN, DeletingUser = ActorUPN1, CreatingIP = IpAddress, DeletingIP = IpAddress1, CreatingUA = UserAgent, DeletingUA = UserAgent1 | project-reorder VariableGroupName, TimeCreated, TimeDeleted, VariablesRemoved, CreatingUser, CreatingIP, CreatingUA, DeletingUser, DeletingIP, DeletingUA - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress + | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress entityMappings: - entityType: Account fieldMappings: