FIxing potential issues with mvexpand and rule creation failures due to entity types

2019-09-05 09:07:58 -07:00 · 2019-09-05 09:07:58 -07:00 · a764b922a2
--- a/Detections/OfficeActivity/Office_MailForwarding.yaml
+++ b/Detections/OfficeActivity/Office_MailForwarding.yaml
@ -32,5 +32,6 @@ query: |
  | summarize TimeGenerated=max(TimeGenerated), userCount = dcount(UserId), UserId = makelist(UserId), ClientIP = makeset(ClientIP) by fwdingDestination
  | where userCount > 1
  | mvexpand UserId, ClientIP
+  | extend UserId = tostring(UserId), ClientIP = tostring(ClientIP)
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP 

--- a/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml
+++ b/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml
@ -38,4 +38,5 @@ query: |
  by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName
  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
  | mvexpand IPAddress
+  | extend IPAddress = tostring(IPAddress)
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
--- a/Queries/InputEntity_Account/Acc2IP_rareIPLocation.txt
+++ b/Queries/InputEntity_Account/Acc2IP_rareIPLocation.txt
@ -27,9 +27,10 @@ let IPsFromRareLocations = (v_Account_Name:string, v_Account_AadUserId:string){
 		LocationPrevalence
 		| summarize makeset(IPAddress), makeset(Location), makeset(LocationCount) , totalActivity = sum(LocationCount) by UserPrincipalName
        | mvexpand Location = set_Location, LocationCount = set_LocationCount, IPAddress = set_IPAddress
+        | extend Location = tostring(Location), LocationCount = toint(LocationCount), IPAddress = tostring(IPAddress)
        | extend percentOfActivity = 100*LocationCount/totalActivity
        | where percentOfActivity < 10
-        | project UserPrincipalName, IPAddress, Location, toint(LocationCount), percentOfActivity
+        | project UserPrincipalName, IPAddress, Location, LocationCount, percentOfActivity
        | top 10 by LocationCount asc nulls last
        | extend Account_Aux_info = pack("LocationCount", LocationCount, "PercentOfActivity", percentOfActivity)
        | parse UserPrincipalName with Account_NTDomain "\\" *
--- a/Queries/AuditLogs/ConsentToApplicationDiscovery.yaml
+++ b/Queries/AuditLogs/ConsentToApplicationDiscovery.yaml
@ -39,7 +39,7 @@ query: |
  // Get just the InitiatedBy and CorrleationId so we can look at associated audit activity
  // 2 other operations that can be part of malicious activity in this situation are 
  // "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you are interested in those as starting points for OperationName
-  let HistoricalConsent = auditLogEvents(30d)  
+  let HistoricalConsent = auditLogEvents(auditLookback)  
  | where OperationName == "Consent to application"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() 
  by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id
@ -50,7 +50,7 @@ query: |
  | summarize by InitiatedBy, CorrelationId;
  // 2 other operations that can be part of malicious activity in this situation are 
  // "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you changed the starting OperationName above
-  let allOtherEvents = auditLogEvents(30d) 
+  let allOtherEvents = auditLogEvents(auditLookback) 
  | where OperationName != "Consent to application";
  // Gather associated activity based on audit activity for "Consent to application" and InitiatedBy and CorrleationId
  let CorrelatedEvents = Correlate 
--- a/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
+++ b/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
@ -21,14 +21,15 @@ query: |
  (DnsEvents
  | where TimeGenerated >= ago(timeframe) 
  | where Name has_any (badNames)
-  | extend Domain = Name, SourceIp = ClientIP, RemoteIp = IPAddresses
-  | mvexpand RemoteIP),
+  | extend Domain = Name, SourceIp = ClientIP, RemoteIP = IPAddresses
+  | mvexpand RemoteIP
+  | extend RemoteIP = tostring(RemoteIP)),
  (VMConnection
  | where TimeGenerated >= ago(timeframe)
  | where isnotempty(RemoteDnsCanonicalNames) 
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where DNSName has_any (badNames)
-  | extend Domain = DNSName
+  | extend Domain = DNSName, RemoteIP = RemoteIp
  ))
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIp, Computer
-  | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIp
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer
+  | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP