Entity Work April 5 part 1

Required items, please complete

   Change(s):
   - Deleted Custom Entity mappings
   - Split hostname and domain
   - Split name and UPN suffix

   Reason for Change(s):
   - Needed to add full mappings

   Version Updated:
   - yes

   Testing Completed:
   - yes

   Checked that the validations are passing and have addressed any issues that are present:
   - no

Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml

@@ -69,19 +69,19 @@ query: |
     | project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction
     // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)
     | where Periodicity >= (10*TimeDeltaThresholdInSeconds)
-    | extend timestamp = StartTime, IPCustomEntity = DestinationIP
+    | extend timestamp = StartTime
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.3
+        columnName: DestinationIP
+version: 1.0.4
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: robMSFT
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml

@@ -110,23 +110,23 @@ query: |
     )
     on Name
     | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource
-    | extend timestamp=StartTime, IPCustomEntity=SourceIP
+    | extend timestamp=StartTime
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SourceIP
   - entityType: DNS
     fieldMappings:
       - identifier: DomainName
         columnName: Name
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: robMSFT
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml

@@ -74,20 +74,20 @@ query: |
   | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies
   | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies
   | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies
-  | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax
+  | extend timestamp= EndTimeUtc
 
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
+        columnName: SourceIPMax
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Ashwin Patil
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/DuoSecurity/TrustMonitorEvent.yaml

@@ -14,23 +14,27 @@ query: |
   let timeframe = ago(5m);
   DuoSecurityTrustMonitor_CL
   | where TimeGenerated >= timeframe
-  | extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s
+  | extend AccountName = tostring(split(surfaced_auth_user_name_s, "@")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: surfaced_auth_user_name_s
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
+        columnName: surfaced_auth_access_device_ip_s
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: SecurityJedi
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/MultipleDataSources/MalformedUserAgents.yaml

@@ -83,7 +83,7 @@ query: |
   or UserAgent matches regex @"MSIE\s?;"
   // Incorrect spacing around MSIE version
   or UserAgent matches regex  @"MSIE(?:\d|.{1,5}?\d\s;)"
-  | extend timestamp = StartTime, IPCustomEntity = SourceIP, Name = split(Account, "@")[0], UPNSuffix = split(Account, "@")[1]
+  | extend timestamp = StartTime, Name = split(Account, "@")[0], UPNSuffix = split(Account, "@")[1]
 
 entityMappings:
   - entityType: Account
@@ -97,8 +97,8 @@ entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.4
+        columnName: SourceIP
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:

Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml

@@ -77,27 +77,38 @@ query: |
   | extend IPAddress = SourceHost
   ) 
   ) 
-  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
+  | extend timestamp = TimeGenerated
+  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: HostCustomEntity
+        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: NTDomain
+        columnName: HostNameDomain
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
+        columnName: IPAddress
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Ajeet Prakash
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/PulseConnectSecure/PulseConnectSecureVPN-CVE_2021_22893_Exploit.yaml

@@ -21,19 +21,19 @@ query: |
   | where Messages contains "Unauthenticated request url /dana-na/"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
   | where count_ > threshold
-  | extend timestamp = StartTime, IPCustomEntity = Source_IP
+  | extend timestamp = StartTime
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.1
+        columnName: Source_IP
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Sittikorn S
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml

@@ -26,19 +26,26 @@ query: |
   | where RemediationDescription has 'CVE-2021-38647'
   | parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
   | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
-  | extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
+  | extend Timestamp = TimeGenerated
+  | extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
 entityMappings: 
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.0.3
+        columnName: VirtualMAchine
+      - identifier: HostName
+        columnName: HostName
+      - identifier: NTDomain
+        columnName: HostNameDomain
+
+version: 1.0.4
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Ajeet Prakash
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Detections/W3CIISLog/HighPortCountByClientIP.yaml

@@ -62,19 +62,19 @@ query: |
   | where portCount >= portThreshold
   | project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount
   | order by portCount
-  | extend timestamp = TimeGenerated, IPCustomEntity = cIP
+  | extend timestamp = TimeGenerated
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
+        columnName: cIP
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Shain
+        name: Microsoft Security Research
     support:
         tier: Community
     categories: