Updating entity mapping for ASIM detections

2023-12-11 19:58:57 -08:00 · 2023-12-11 19:58:57 -08:00 · 9d21081217
--- a/Detections/ASimAuthentication/imAuthBruteForce.yaml
+++ b/Detections/ASimAuthentication/imAuthBruteForce.yaml
@ -40,17 +40,30 @@ query: |
  | extend
        IpAddresses = strcat_array(IpAddresses, ", "), 
        ReportedBy = strcat_array(ReportedBy, ", ")
+  | extend
+    Name = iif(
+        TargetUsername contains "@"
+            , tostring(split(TargetUsername, '@', 0)[0])
+            , TargetUsername
+        ),
+    UPNSuffix = iif(
+        TargetUsername contains "@"
+        , tostring(split(TargetUsername, '@', 1)[0])
+        , ""
+    )

 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: TargetUsername
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix

 customDetails:
  IpAddresses: IpAddresses
  ReportedBy: ReportedBy
-version: 1.2.2
+version: 1.2.3
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
+++ b/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
@ -28,15 +28,13 @@ query: |
    , Users = make_set(TargetUserId,100) 
      by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
  | where UserCount > FailureThreshold
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr
-

 entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.1.2
+        columnName: SrcDvcIpAddr
+version: 1.1.3
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
+++ b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
@ -42,14 +42,13 @@ query: |
  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
  successfulAccountSigninCount, successfulAccountSigninSet, Type
  | order by disabledAccountLoginAttempts
-  | extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr

 entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
+        columnName: SrcDvcIpAddr
+version: 1.0.3
 kind: Scheduled
 metadata:
  source:
--- a/Detections/ASimDNS/imDNS_Miners.yaml
+++ b/Detections/ASimDNS/imDNS_Miners.yaml
@ -57,17 +57,21 @@ query: |
  "moneropool.ru", "cryptonotepool.org.uk", "extremepool.org", "extremehash.com", "hashinvest.net", "unipool.pro", "crypto-pools.org", "monero.net", 
  "backup-pool.com", "mooo.com", "freeyy.me", "cryptonight.net", "shscrypto.net"]);
  _Im_Dns(domain_has_any=minersDomains)
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.3.2
+        columnName: SrcIpAddr
+version: 1.3.3
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimDNS/imDNS_TorProxies.yaml
+++ b/Detections/ASimDNS/imDNS_TorProxies.yaml
@ -48,16 +48,20 @@ query: |
  "tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt", 
  "s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]);
  _Im_Dns(domain_has_any=torProxies)
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
 version: 1.3.2
 kind: Scheduled
 metadata:
--- a/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
@ -53,13 +53,12 @@ query: |
  | where count_ > threshold
  | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
      ) on SrcIpAddr
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
 entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.3.3
+        columnName: SrcIpAddr
+version: 1.3.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml
+++ b/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml
@ -57,7 +57,7 @@ query: |
    | where DnsQuery !contains "/" and  DnsQuery contains "."};
  nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())
    | extend sld = tostring(split(DnsQuery, ".")[-2])
-    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr
+    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr
    | where dcount_sld > threshold
    // Filter out previously seen IPs
    | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))
@ -66,14 +66,13 @@ query: |
      | where dcount_sld > threshold ) on SrcIpAddr
  // Pull out sample NXDomain responses for those remaining potentially infected IPs
  | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr
-  | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100)  by SrcIpAddr, dcount_sld
-  | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr
+  | summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100)  by SrcIpAddr, dcount_sld
 entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.3.2
+        columnName: SrcIpAddr
+version: 1.3.3
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
+++ b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
@ -27,29 +27,29 @@ query:  |
  let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
  let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
  imFileEvent
-  | where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)
-  | extend
-      timestamp = TimeGenerated,
-      AccountCustomEntity = User, 
-      HostCustomEntity = DvcHostname,
-      FileHashCustomEntity = TargetFileMD5,
-      AlgorithmCustomEntity = "MD5"
+  | where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
+  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
+  | extend AlgorithmType = "MD5"
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
+      - identifier: HostName
+        columnName: DvcHostname
+      - identifier: DnsDomain
+        columnName: DvcDomain
  - entityType: FileHash
    fieldMappings:
      - identifier: Algorithm
-        columnName: AlgorithmCustomEntity
+        columnName: AlgorithmType
      - identifier: Value
-        columnName: FileHashCustomEntity
-version: 1.0.5
+        columnName: TargetFileMD5
+version: 1.0.6
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
+++ b/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
@ -31,13 +31,15 @@ query: |
    | where TimeGenerated > ago(1d)
    | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | where Process !in (known_processes)
-    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
+    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname, DvcDomain
 entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: DvcHostname
-version: 1.0.3
+      - identifier: DnsDomain
+        columnName: DvcDomain
+version: 1.0.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml
+++ b/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml
@ -18,22 +18,27 @@ relevantTechniques:
  - T1036
 query: |
  imProcess
-    | where CommandLine has_all ("accepteula", "-s", "-r", "-q")
-    | where Process !endswith "sdelete.exe"
-    | where CommandLine !has "sdelete"
+  | where CommandLine has_all ("accepteula", "-s", "-r", "-q")
+  | where Process !endswith "sdelete.exe"
+  | where CommandLine !has "sdelete"
+  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
+      - identifier: HostName
        columnName: DvcHostname
+      - identifier: DnsDomain
+        columnName: DvcDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: DvcIpAddr
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: ActorUsername
 version: 1.0.4
 kind: Scheduled
 metadata:
--- a/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml
+++ b/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml
@ -17,32 +17,42 @@ tags:
  -
 query: |
  imProcess
-    | where EventType =~ "ProcessCreated"
-    | where Process endswith "svchost.exe"
-    | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
-    | extend timekey = bin(TimeGenerated, 1m)
-    | project timekey, ActingProcessId, Dvc
-    | join kind=inner (imProcess
+  | where EventType =~ "ProcessCreated"
+  | where Process endswith "svchost.exe"
+  | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
+  | extend timekey = bin(TimeGenerated, 1m)
+  | project timekey, ActingProcessId, Dvc
+  | join kind=inner (
+    imProcess
    | where EventType =~ "ProcessCreated"
    | where Process =~ "sdelete.exe" or CommandLine has "sdelete"
    | where ActingProcessName endswith "svchost.exe"
    | where CommandLine has_all ("-s", "-r")
    | extend timekey = bin(TimeGenerated, 1m)
-    ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
+    ) 
+    on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
+  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: ActorUsername
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: DvcIpAddr
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: Dvc
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml
+++ b/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml
@ -17,14 +17,15 @@ relevantTechniques:
  - T1569
  - T1003
 query: | 
-   let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
-    let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
-    let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77",     "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
-    let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
-    imProcessCreate
-    | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
-    // Increase risk score if recent alerts for the host
-    | join kind=leftouter (SecurityAlert
+  let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
+  let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
+  let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77",     "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
+  let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
+  imProcessCreate
+  | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
+  // Increase risk score if recent alerts for the host
+  | join kind=leftouter (
+    SecurityAlert
    | where ProviderName =~ "MDATP"
    | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
    | mv-expand todynamic(Entities)
@ -32,23 +33,31 @@ query: |
    | where isnotempty(DvcId)
    // Higher risk score are for Defender alerts related to threat actor
    | extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5)
-    | project DvcId, AlertRiskScore) on DvcId
-    | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
-    | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
+    | project DvcId, AlertRiskScore) 
+    on DvcId
+  | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
+  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
-  - entityType: Host
-    fieldMappings:
-      - identifier: HostName
-        columnName: HostCustomEntity
  - entityType: Account
    fieldMappings:
      - identifier: Name
-        columnName: AccountCustomEntity
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: File
    fieldMappings:
      - identifier: Name
        columnName: FileName
-version: 1.2.0
+version: 1.2.1
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
+++ b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
@ -20,41 +20,47 @@ tags:
    SchemaVersion: 0.1.0

 query: |
-    let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
-    let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
-    imProcessCreate
-    //looks for execution from a shell
-    | where ActingProcessName has_any (parentProcesses)
-    | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
-    | where ActingProcessFileName in~ (parentProcesses)
-    // main filter
-    | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
-        // AdFind common Flags to check for from various threat actor TTPs
-        or CommandLine has_any (args)
-    | extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256
-    
+  let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
+  let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
+  imProcessCreate
+  //looks for execution from a shell
+  | where ActingProcessName has_any (parentProcesses)
+  | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
+  | where ActingProcessFileName in~ (parentProcesses)
+  // main filter
+  | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
+  // AdFind common Flags to check for from various threat actor TTPs
+  or CommandLine has_any (args)
+  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: HostName
-        columnName: HostCustomEntity
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: Process
    fieldMappings:
      - identifier: ProcessId
-        columnName: ProcessCustomEntity
+        columnName: ActingProcessName
      - identifier: CommandLine
-        columnName: CommandLineCustomEntity
+        columnName: CommandLine
  - entityType: FileHash
    fieldMappings:
      - identifier: Algorithm
-        columnName: AlgorithmCustomEntity
+        columnName: AlgorithmType
      - identifier: Value
-        columnName: FileHashCustomEntity
-version: 1.1.3
+        columnName: TargetProcessSHA256
+version: 1.1.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml
+++ b/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml
@ -26,17 +26,24 @@ query: |
  | where Process hassuffix 'rundll32.exe'
  | where CommandLine  has_any ('Execute','RegRead','window.close')
  | project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
-  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
+  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.1.3
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.1.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
+++ b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
@ -28,28 +28,30 @@ query:  |
  imProcessCreate
  | where Process hassuffix 'solarwinds.businesslayerhost.exe'
  | where not(Process has_any (excludeProcs))
-  | extend
-      timestamp = TimeGenerated,
-      AccountCustomEntity = ActorUsername,
-      HostCustomEntity = User,
-      AlgorithmCustomEntity = "MD5",
-      FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented
+  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
  - entityType: FileHash
    fieldMappings:
      - identifier: Algorithm
-        columnName: AlgorithmCustomEntity
+        columnName: AlgorithmType
      - identifier: Value
-        columnName: FileHashCustomEntity
-version: 1.1.3
+        columnName: TargetFileMD5
+version: 1.1.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
+++ b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
@ -24,21 +24,28 @@ tags:

 query: |
  imProcessCreate
-    | where CommandLine contains "TVqQAAMAAAAEAAA"
-    | where isnotempty(Process)
-    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
-    | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
+  | where CommandLine contains "TVqQAAMAAAAEAAA"
+  | where isnotempty(Process)
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
+  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
  
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.1.2
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.1.3
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
+++ b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
@ -20,24 +20,31 @@ tags:
    SchemaVersion: 0.1.0

 query: |
-      let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);  
-      imProcessCreate
-      | where CommandLine has "recycler"
-      | where Process has_any (procList)
-      | extend FileName = tostring(split(Process, '\\')[-1])
-      | where FileName in~ (procList)
-      | project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
-      | extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc
+  let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);  
+  imProcessCreate
+  | where CommandLine has "recycler"
+  | where Process has_any (procList)
+  | extend FileName = tostring(split(Process, '\\')[-1])
+  | where FileName in~ (procList)
+  | project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
+  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.2.3
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.2.4
 kind: Scheduled
 metadata:
    source:
--- a/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml
+++ b/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml
@ -1,7 +1,8 @@
 id: 01e8ffff-dc0c-43fe-aa22-d459c4204553
 name: Discord CDN Risky File Download  (ASIM Web Session Schema)
 description: |
-  'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
+  'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. 
+   Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
   This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
 severity: Medium
 requiredDataConnectors:
@ -31,11 +32,14 @@ query: |
    | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url
    | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url
    | where RequestURL has_any (".bin",".exe",".dll",".bin",".msi")
+    | extend AccountName = tostring(split(SourceUser, "@")[0]), AccountUPNSuffix = tostring(split(SourceUser, "@")[1])
 entityMappings:
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
-        columnName: SourceUser
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
  - entityType: IP
    fieldMappings:
      - identifier: Address
@ -44,13 +48,13 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: RequestURL
-version: 1.1.2
+version: 1.1.3
 kind: Scheduled
 metadata:
    source:
        kind: Community
    author:
-        name: Pete Bryan
+        name: Microsoft Security Research
    support:
        tier: Community
    categories:
--- a/Detections/ASimWebSession/UnusualUACryptoMiners.yaml
+++ b/Detections/ASimWebSession/UnusualUACryptoMiners.yaml
@ -31,8 +31,8 @@ query: |
    let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
    let fullUAList = array_concat(knownUserAgents,customUserAgents);
    _Im_WebSession(httpuseragent_has_any=fullUAList)
-    | summarize N_Events=count() by  SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
-
+    | summarize N_Events=count() by  SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
+    | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
 entityMappings:
  - entityType: URL
    fieldMappings:
@ -45,7 +45,9 @@ entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
-        columnName: SrcUsername
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix

 alertDetailsOverride:
  alertDisplayNameFormat: The host {{SrcIpAddr}} is potentially running a crypto miner
--- a/Detections/ASimWebSession/UnusualUAHackTool.yaml
+++ b/Detections/ASimWebSession/UnusualUAHackTool.yaml
@ -32,7 +32,8 @@ query: |
    let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
    let fullUAList = array_concat(knownUserAgents,customUserAgents);
    _Im_WebSession(httpuseragent_has_any=fullUAList)
-    | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
+    | project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
+    | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
 entityMappings:
  - entityType: URL
    fieldMappings:
@ -45,7 +46,9 @@ entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
-        columnName: SrcUsername
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix

 alertDetailsOverride:
  alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running a hacking tool'
--- a/Detections/ASimWebSession/UnusualUAPowershell.yaml
+++ b/Detections/ASimWebSession/UnusualUAPowershell.yaml
@ -33,8 +33,8 @@ query: |
    let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
    let fullUAList = array_concat(knownUserAgents,customUserAgents);
    _Im_WebSession(httpuseragent_has_any=fullUAList)
-    | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
-
+    | project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
+    | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
 entityMappings:
  - entityType: URL
    fieldMappings:
@ -47,7 +47,9 @@ entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
-        columnName: SrcUsername
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix

 alertDetailsOverride:
  alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running PowerShell'
--- a/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml
+++ b/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml
@ -108,6 +108,7 @@ query: |
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
+  | project-away DomainIndex
 entityMappings:
  - entityType: Account
    fieldMappings: