Hunting Queries files path update
This commit is contained in:
DixitVedanshi
Родитель
89399be708
Коммит
af79e08eec
|
|
@ -1,4 +1,4 @@
|
|||
id: a73bd4e7-3408-4c2a-8066-4e22452d1425
|
||||
name: Failed Logon Attempts on SQL Server
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-Failed%20SQL%20Logons.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 938af80b-6727-44bb-8694-c399e326b5e8
|
||||
name: Failed Logon on SQL Server from Same IPAddress in Short time Span
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-MultipleFailedLogon_FromSameIP.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: a303d4cd-2ca3-4f0b-a46c-8be9f64182fc
|
||||
name: Multiple Failed Logon on SQL Server in Short time Span
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-MultipleFailedLogon_InShortSpan.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 792d3c90-66ce-4c35-809b-6b66e7d2f9d9
|
||||
name: New User created on SQL Server
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-New_UserCreated.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 1df731d9-0d6c-4ea3-9498-fca874e45d0c
|
||||
name: User added to SQL Server SecurityAdmin Group
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserAdded_to_SecurityAdmin.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: a0384314-baf6-4bf9-8cfd-2952697d71dd
|
||||
name: SQL User deleted from Database
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserDeletedFromDatabase.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: b36464d3-0135-4df0-a5b0-0d61bc6e2da5
|
||||
name: User removed from SQL Server SecurityAdmin Group
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRemovedFromSecurityAdmin.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 8f20e85c-33e2-42cd-80ff-0ae7fa504b58
|
||||
name: User removed from SQL Server Roles
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRemovedFromServerRole.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 45ba87e7-e052-4dd4-b68b-789d3f9b507f
|
||||
name: User Role altered on SQL Server
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRoleChanged.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 3e750b94-88d3-4911-9102-09601f30348d
|
||||
name: Invoke-PowerShellTcpOneLine Usage.
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Invoke-PowerShellTcpOneLine.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: f7bfc2c2-0900-424b-bc3a-fe2bf5659371
|
||||
name: Least Common Parent And Child Process Pairs
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Parent_Child_Process.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 542c8a57-fe1e-4229-913a-d9466917fc43
|
||||
name: Least Common Processes by Command Line
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Process_Command_Lines.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 23d1a6c4-6c46-4e28-b091-7252660cb2c7
|
||||
name: Least Common Processes Including Folder Depth
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Process_With_Depth.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 5bfdeabd-5f85-440e-baf0-13dfed4dc1f9
|
||||
name: Potential Exploitation of MS-RPRN printer bug
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/MSRPRN_Printer_Bug_Exploitation.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: fe00f86f-523b-4e3c-9b4a-4a64e961248a
|
||||
name: Multiple explicit credential usage - 4648 events
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/MultipleExplicitCredentialUsage4648Events.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: d95d2a06-64ff-4eb7-a2a0-93954e14f016
|
||||
name: New Child Process of W3WP.exe
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/NewChildProcessOfW3WP.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 8c26819f-87d6-4cce-8024-0b2f254295a4
|
||||
name: Nishang Reverse TCP Shell in Base64
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/NishangReverseTCPShellBase64.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 11c3b83c-39e6-4ad1-8067-90eac05b27b3
|
||||
name: Potential Impacket Execution
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 37e19244-0359-430a-999c-2e6f091f07f5
|
||||
name: Powercat Download
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/PowerCatDownload.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: d3f6ba66-1a8c-40f6-a473-fa768603ee3f
|
||||
name: Entropy for Processes for a given Host
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/ProcessEntropy.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 6c17f205-bda3-41ee-8a21-77fe61af39ea
|
||||
name: Rare processes run by Service accounts
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcbyServiceAccount.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: ddc93cc2-154e-4acd-9691-73dbda5736e9
|
||||
name: Rare Process Path
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcessPath.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: c98cee55-3ad0-451b-a9fd-95cd781b517d
|
||||
name: Hosts running a rare process with commandline
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcessWithCmdLine.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 41c3f295-8920-4070-951c-4c78625cacf5
|
||||
name: Hosts running a rare process
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcess_forWinHost.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 0434ad80-c059-40eb-9d8a-ce4e75d5897b
|
||||
name: Remote Login Performed with WMI
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/RemoteLoginPerformedwithWMI.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 5f8c7e58-e105-47bd-a87f-7488111beb82
|
||||
name: Remote Scheduled Task Creation or Update using ATSVC Named Pipe
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: a9c5c660-e2cf-4229-89a7-4266467ca94c
|
||||
name: Scheduled Task Creation or Update from User Writable Directory
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 90b0efe8-56d4-46eb-9ac2-f4d72cca5c07
|
||||
name: Service installation from user writable directory
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/ServiceInstallationFromUsersWritableDirectory.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 18b565c8-79c7-44f2-84eb-ffc4b509900c
|
||||
name: Rundll32 (LOLBins and LOLScripts)
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/SignedBinaryProxyExecutionRundll32.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 2841b25a-54d1-4c2a-8d06-3e73ef3b6dbc
|
||||
name: Suspected LSASS Dump
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 484e561d-94ad-4626-bbc6-586558f1f069
|
||||
name: Suspicious Windows Login outside normal hours
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Suspicious_Windows_Login_outside_normal_hours.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 5b6770dc-8490-42fd-8f20-93087a744633
|
||||
name: Suspicious enumeration using Adfind tool
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Suspicious_enumeration_using_adfind.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 275b65d2-f621-4503-aacd-44c3cf6ad6c2
|
||||
name: Summary of user logons by logon type
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/User%20Logons%20By%20Logon%20Type.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: ace1a7a8-25c1-4b80-9103-2e3e11713f31
|
||||
name: User Account added to Built in Domain Local or Global Group
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAccountAddedToPrivlegeGroup.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 09d3679e-2ad0-4663-bc35-65f6e82a759c
|
||||
name: Long lookback User Account Created and Deleted within 10mins
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAccountCreatedDeleted.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 1f73fda4-4892-4a44-8359-9363f473c969
|
||||
name: User account added or removed from a security group by an unauthorized user
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAdd_RemToGroupByUnauthorizedUser.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: b9ebdc07-9fd1-49c6-8cea-45467b2ec468
|
||||
name: User created by unauthorized user
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserCreatedByUnauthorizedUser.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: d5b1e835-3a4c-4c8a-ab53-dbe7a85a345c
|
||||
name: VIP account more than 6 failed logons in 10
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/VIPAccountFailedLogons.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 4c5efcbe-e420-49c8-8263-6c0928cabad3
|
||||
name: Windows System Time changed on hosts
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/WindowsSystemTimeChange.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 34b026e1-622f-4cd6-9a5a-d59ff067a12c
|
||||
name: Masquerading files
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/masquerading_files.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 2a09665a-9c60-4dc1-8d72-66611bb85580
|
||||
name: New processes observed in last 24 hours
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/new_processes.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 9730f589-8726-466b-9dbb-69c9428c9992
|
||||
name: Summary of users created using uncommon/undocumented commandline switches
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/persistence_create_account.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 8519a7d1-db41-4f60-93af-aac86c8231c8
|
||||
name: PowerShell downloads
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/powershell_downloads.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: a1752686-2ac1-4b33-bb1f-8baa8abba9c6
|
||||
name: New PowerShell scripts encoded on the commandline
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/powershell_newencodedscipts.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 667cc590-c81c-4592-8764-aaca9dad6cf4
|
||||
name: Uncommon processes - bottom 5%
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/uncommon_processes.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 1d78a512-ca1c-4370-8cd0-05b338a253ef
|
||||
name: Attempts to sign in to disabled accounts by account name
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/DisabledAccountSigninAttempts.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 2a0096b0-85df-4fce-8f5d-e12eb65d18d0
|
||||
name: Attempts to sign in to disabled accounts by IP address
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/DisabledAccountSigninAttemptsByIP.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: afac3fac-bbd9-4dfa-a2b1-b974982cd6ab
|
||||
name: Signins From VPS Providers
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/Signins-From-VPS-Providers.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 0fb3574a-3b04-415c-9eb8-512c5bea775f
|
||||
name: Signins from Nord VPN Providers
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/Signins-from-NordVPN-Providers.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: e8a66d91-2de6-4050-8eb5-e12d190e96dc
|
||||
name: Suspicious Sign-in to Privileged Account
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/SuspiciousSignintoPrivilegedAccount.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: cb637bc8-03e5-4c69-85c9-02fb36cf2e0c
|
||||
name: Possible exploitation of Apache log4j component detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Apache_log4j_Vulnerability.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 82cd9228-c724-4dfd-a14b-96af4af8974e
|
||||
name: Suspicious Base64 download activity detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Base64_Download_Activity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: e92cb2cb-6475-4984-8553-90d3f92f0a09
|
||||
name: Possible Container Miner related artifacts detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Container_Miner_Activity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 5e90f8fb-2966-49cf-9dd3-be6c22babb9a
|
||||
name: Crypto currency miners EXECVE
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/CryptoCurrencyMiners.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 782d2776-789f-42e1-92bb-7e6d662f3c6b
|
||||
name: Suspicious crytocurrency mining related threat activity detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/CryptoThreatActivity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 7f220c5b-677e-44a1-9b50-56c03b208b85
|
||||
name: Suspicious manipulation of firewall detected via Syslog data
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Firewall_Disable_Activity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 6bb091a5-ddda-419f-bc69-684a7a2b5945
|
||||
name: Possible Linux attack toolkit detected via Syslog data
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Linux_Toolkit_Detected.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: df0add0f-de42-4099-9657-34ae9de7a7f8
|
||||
name: Linux security related process termination activity detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Process_Termination_Activity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 47a9a19a-724b-443d-bda3-01a25bb2aeb5
|
||||
name: Rare process running on a Linux host
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/RareProcess_ForLxHost.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 6963e4f9-ac8e-4b6d-933e-a7fc2142a78e
|
||||
name: SCX Execute RunAs Providers
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SCXExecuteRunAsProviders.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: deb432fc-683b-4f8d-976e-d65e2bcf9a4e
|
||||
name: Linux scheduled task Aggregation
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SchedTaskAggregation.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 4dbfdd9c-187a-49d8-8744-2af0f91f36b5
|
||||
name: Editing Linux scheduled tasks through Crontab
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SchedTaskEditViaCrontab.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 9700f1da-7b1c-4702-820e-9c9ec8f2ec55
|
||||
name: Suspicious Shell script detected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Suspicious_ShellScript_Activity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 2115e5f0-7dca-4469-8e67-e7a100f1f6ab
|
||||
name: Squid commonly abused TLDs
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_abused_tlds.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 5a615b8f-a22c-48a7-9014-b2d3da112a44
|
||||
name: Squid malformed requests
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_malformed_requests.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: c43430c6-0d03-4be5-9549-535a61770bf2
|
||||
name: Squid data volume timeseries anomalies
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_volume_anomalies.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: e8f35698-1bdd-4f8d-b416-8d1e4f7ae195
|
||||
name: Preview - TI map File entity to OfficeActivity Event
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_OfficeActivity.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 4fb17aa0-d404-4a66-aa68-b37156c8c506
|
||||
name: Preview - TI map File entity to Security Event
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_SecurityEvent.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: d5a41ea2-3dbb-476f-94fe-8df6521af740
|
||||
name: Preview - TI map File entity to Syslog Event
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_Syslog.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: c23db0e9-0caa-4904-96fb-e72d2317b0af
|
||||
name: Preview - TI map File entity to VMConnection Event
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_VMConnection.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 629ecb36-3d3c-4567-8e13-7688b0ed4414
|
||||
name: Preview - TI map File entity to WireData Event
|
||||
description: |
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence'
|
||||
As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_WireData.yaml'
|
||||
Загрузка…
Ссылка в новой задаче