From af79e08eec24e1a81d7a4e93821707f9ead3d36e Mon Sep 17 00:00:00 2001 From: DixitVedanshi Date: Thu, 23 Feb 2023 15:10:55 +0530 Subject: [PATCH] Hunting Queries files path update --- Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml | 2 +- .../SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml | 2 +- .../SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml | 2 +- Hunting Queries/SQLServer/SQL-New_UserCreated.yaml | 2 +- Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml | 2 +- Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml | 2 +- Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml | 2 +- Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml | 2 +- Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml | 2 +- Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml | 2 +- .../SecurityEvent/Least_Common_Parent_Child_Process.yaml | 2 +- .../SecurityEvent/Least_Common_Process_Command_Lines.yaml | 2 +- .../SecurityEvent/Least_Common_Process_With_Depth.yaml | 2 +- .../SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml | 2 +- .../MultipleExplicitCredentialUsage4648Events.yaml | 2 +- Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml | 2 +- Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml | 2 +- Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml | 2 +- Hunting Queries/SecurityEvent/PowerCatDownload.yaml | 2 +- Hunting Queries/SecurityEvent/ProcessEntropy.yaml | 2 +- Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml | 2 +- Hunting Queries/SecurityEvent/RareProcessPath.yaml | 2 +- Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml | 2 +- Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml | 2 +- Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml | 2 +- .../RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml | 2 +- .../ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml | 2 +- .../ServiceInstallationFromUsersWritableDirectory.yaml | 2 +- .../SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml | 2 +- Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml | 2 +- .../Suspicious_Windows_Login_outside_normal_hours.yaml | 2 +- .../SecurityEvent/Suspicious_enumeration_using_adfind.yaml | 2 +- Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml | 2 +- .../SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml | 2 +- Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml | 2 +- .../SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml | 2 +- .../SecurityEvent/UserCreatedByUnauthorizedUser.yaml | 2 +- Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml | 2 +- Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml | 2 +- Hunting Queries/SecurityEvent/masquerading_files.yaml | 2 +- Hunting Queries/SecurityEvent/new_processes.yaml | 2 +- Hunting Queries/SecurityEvent/persistence_create_account.yaml | 2 +- Hunting Queries/SecurityEvent/powershell_downloads.yaml | 2 +- Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml | 2 +- Hunting Queries/SecurityEvent/uncommon_processes.yaml | 2 +- Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml | 2 +- .../SigninLogs/DisabledAccountSigninAttemptsByIP.yaml | 2 +- Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml | 2 +- Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml | 2 +- .../SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml | 2 +- Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml | 2 +- Hunting Queries/Syslog/Base64_Download_Activity.yaml | 2 +- Hunting Queries/Syslog/Container_Miner_Activity.yaml | 2 +- Hunting Queries/Syslog/CryptoCurrencyMiners.yaml | 2 +- Hunting Queries/Syslog/CryptoThreatActivity.yaml | 2 +- Hunting Queries/Syslog/Firewall_Disable_Activity.yaml | 2 +- Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml | 2 +- Hunting Queries/Syslog/Process_Termination_Activity.yaml | 2 +- Hunting Queries/Syslog/RareProcess_ForLxHost.yaml | 2 +- Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml | 2 +- Hunting Queries/Syslog/SchedTaskAggregation.yaml | 2 +- Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml | 2 +- Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml | 2 +- Hunting Queries/Syslog/squid_abused_tlds.yaml | 2 +- Hunting Queries/Syslog/squid_malformed_requests.yaml | 2 +- Hunting Queries/Syslog/squid_volume_anomalies.yaml | 2 +- .../ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml | 2 +- .../ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml | 2 +- .../ThreatIntelligenceIndicator/FileEntity_Syslog.yaml | 2 +- .../ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml | 2 +- .../ThreatIntelligenceIndicator/FileEntity_WireData.yaml | 2 +- 71 files changed, 71 insertions(+), 71 deletions(-) diff --git a/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml b/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml index 911f32e12c..7616fd5267 100644 --- a/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml +++ b/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml @@ -1,4 +1,4 @@ id: a73bd4e7-3408-4c2a-8066-4e22452d1425 name: Failed Logon Attempts on SQL Server description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-Failed%20SQL%20Logons.yaml' diff --git a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml index d36e0f7694..c13c7cd964 100644 --- a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml +++ b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml @@ -1,4 +1,4 @@ id: 938af80b-6727-44bb-8694-c399e326b5e8 name: Failed Logon on SQL Server from Same IPAddress in Short time Span description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-MultipleFailedLogon_FromSameIP.yaml' diff --git a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml index c715c52390..01ab7753b0 100644 --- a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml +++ b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml @@ -1,4 +1,4 @@ id: a303d4cd-2ca3-4f0b-a46c-8be9f64182fc name: Multiple Failed Logon on SQL Server in Short time Span description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-MultipleFailedLogon_InShortSpan.yaml' diff --git a/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml b/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml index 4e20a36a3b..c27cd42004 100644 --- a/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml +++ b/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml @@ -1,4 +1,4 @@ id: 792d3c90-66ce-4c35-809b-6b66e7d2f9d9 name: New User created on SQL Server description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-New_UserCreated.yaml' diff --git a/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml b/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml index df6301e2a1..1f33478a2f 100644 --- a/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml +++ b/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml @@ -1,4 +1,4 @@ id: 1df731d9-0d6c-4ea3-9498-fca874e45d0c name: User added to SQL Server SecurityAdmin Group description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserAdded_to_SecurityAdmin.yaml' diff --git a/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml b/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml index 951e642fc2..027ab79417 100644 --- a/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml +++ b/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml @@ -1,4 +1,4 @@ id: a0384314-baf6-4bf9-8cfd-2952697d71dd name: SQL User deleted from Database description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserDeletedFromDatabase.yaml' diff --git a/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml b/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml index d56820b847..04c7c1bec9 100644 --- a/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml +++ b/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml @@ -1,4 +1,4 @@ id: b36464d3-0135-4df0-a5b0-0d61bc6e2da5 name: User removed from SQL Server SecurityAdmin Group description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRemovedFromSecurityAdmin.yaml' diff --git a/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml b/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml index 8209113dfa..521d75e150 100644 --- a/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml +++ b/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml @@ -1,4 +1,4 @@ id: 8f20e85c-33e2-42cd-80ff-0ae7fa504b58 name: User removed from SQL Server Roles description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRemovedFromServerRole.yaml' diff --git a/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml b/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml index 0159cbf4e7..a339b03f42 100644 --- a/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml +++ b/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml @@ -1,4 +1,4 @@ id: 45ba87e7-e052-4dd4-b68b-789d3f9b507f name: User Role altered on SQL Server description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Windows%20SQL%20Server%20Database%20Audit/Hunting%20Queries/SQL-UserRoleChanged.yaml' diff --git a/Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml b/Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml index 7dcd9aa17c..17fc61a45b 100644 --- a/Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml +++ b/Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml @@ -1,4 +1,4 @@ id: 3e750b94-88d3-4911-9102-09601f30348d name: Invoke-PowerShellTcpOneLine Usage. description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Invoke-PowerShellTcpOneLine.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml b/Hunting Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml index 45e3c10a27..09f0e34e63 100644 --- a/Hunting Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml +++ b/Hunting Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml @@ -1,4 +1,4 @@ id: f7bfc2c2-0900-424b-bc3a-fe2bf5659371 name: Least Common Parent And Child Process Pairs description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Parent_Child_Process.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml b/Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml index 271ead6443..603199977c 100644 --- a/Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml +++ b/Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml @@ -1,4 +1,4 @@ id: 542c8a57-fe1e-4229-913a-d9466917fc43 name: Least Common Processes by Command Line description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Process_Command_Lines.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml b/Hunting Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml index 8a7036a035..fcf7485907 100644 --- a/Hunting Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml +++ b/Hunting Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml @@ -1,4 +1,4 @@ id: 23d1a6c4-6c46-4e28-b091-7252660cb2c7 name: Least Common Processes Including Folder Depth description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Process_With_Depth.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml b/Hunting Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml index 0f8945def3..657fcc624b 100644 --- a/Hunting Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml +++ b/Hunting Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml @@ -1,4 +1,4 @@ id: 5bfdeabd-5f85-440e-baf0-13dfed4dc1f9 name: Potential Exploitation of MS-RPRN printer bug description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/MSRPRN_Printer_Bug_Exploitation.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml b/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml index ef095b5bce..4437fc0f64 100644 --- a/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml +++ b/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml @@ -1,4 +1,4 @@ id: fe00f86f-523b-4e3c-9b4a-4a64e961248a name: Multiple explicit credential usage - 4648 events description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/MultipleExplicitCredentialUsage4648Events.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml b/Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml index 493df7c747..75298408e7 100644 --- a/Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml +++ b/Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml @@ -1,4 +1,4 @@ id: d95d2a06-64ff-4eb7-a2a0-93954e14f016 name: New Child Process of W3WP.exe description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/NewChildProcessOfW3WP.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml b/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml index 2d8cf9f7da..51b8eaa9de 100644 --- a/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml +++ b/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml @@ -1,4 +1,4 @@ id: 8c26819f-87d6-4cce-8024-0b2f254295a4 name: Nishang Reverse TCP Shell in Base64 description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/NishangReverseTCPShellBase64.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml b/Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml index aa55d7049f..d94558c040 100644 --- a/Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml +++ b/Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml @@ -1,4 +1,4 @@ id: 11c3b83c-39e6-4ad1-8067-90eac05b27b3 name: Potential Impacket Execution description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/PowerCatDownload.yaml b/Hunting Queries/SecurityEvent/PowerCatDownload.yaml index d2917873e3..9785cb96b5 100644 --- a/Hunting Queries/SecurityEvent/PowerCatDownload.yaml +++ b/Hunting Queries/SecurityEvent/PowerCatDownload.yaml @@ -1,4 +1,4 @@ id: 37e19244-0359-430a-999c-2e6f091f07f5 name: Powercat Download description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/PowerCatDownload.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/ProcessEntropy.yaml b/Hunting Queries/SecurityEvent/ProcessEntropy.yaml index 897e22281c..de06db086e 100644 --- a/Hunting Queries/SecurityEvent/ProcessEntropy.yaml +++ b/Hunting Queries/SecurityEvent/ProcessEntropy.yaml @@ -1,4 +1,4 @@ id: d3f6ba66-1a8c-40f6-a473-fa768603ee3f name: Entropy for Processes for a given Host description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/ProcessEntropy.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml b/Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml index 63c29e6096..1089a5c1f5 100644 --- a/Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml +++ b/Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml @@ -1,4 +1,4 @@ id: 6c17f205-bda3-41ee-8a21-77fe61af39ea name: Rare processes run by Service accounts description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcbyServiceAccount.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RareProcessPath.yaml b/Hunting Queries/SecurityEvent/RareProcessPath.yaml index 2ea4af69eb..91158f7916 100644 --- a/Hunting Queries/SecurityEvent/RareProcessPath.yaml +++ b/Hunting Queries/SecurityEvent/RareProcessPath.yaml @@ -1,4 +1,4 @@ id: ddc93cc2-154e-4acd-9691-73dbda5736e9 name: Rare Process Path description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcessPath.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml b/Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml index 5356fe968c..4a00d83b42 100644 --- a/Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml +++ b/Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml @@ -1,4 +1,4 @@ id: c98cee55-3ad0-451b-a9fd-95cd781b517d name: Hosts running a rare process with commandline description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcessWithCmdLine.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml b/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml index fbe4a8f136..f2dd6973dc 100644 --- a/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml +++ b/Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml @@ -1,4 +1,4 @@ id: 41c3f295-8920-4070-951c-4c78625cacf5 name: Hosts running a rare process description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcess_forWinHost.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml b/Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml index 14af919a9b..85f410f571 100644 --- a/Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml +++ b/Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml @@ -1,4 +1,4 @@ id: 0434ad80-c059-40eb-9d8a-ce4e75d5897b name: Remote Login Performed with WMI description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/RemoteLoginPerformedwithWMI.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml b/Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml index 791d48bffd..00f1995f47 100644 --- a/Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml +++ b/Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml @@ -1,4 +1,4 @@ id: 5f8c7e58-e105-47bd-a87f-7488111beb82 name: Remote Scheduled Task Creation or Update using ATSVC Named Pipe description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml b/Hunting Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml index 3d92fd49bb..47cdc933ae 100644 --- a/Hunting Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml +++ b/Hunting Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml @@ -1,4 +1,4 @@ id: a9c5c660-e2cf-4229-89a7-4266467ca94c name: Scheduled Task Creation or Update from User Writable Directory description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml b/Hunting Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml index 18f63db38f..6fde16b1a3 100644 --- a/Hunting Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml +++ b/Hunting Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml @@ -1,4 +1,4 @@ id: 90b0efe8-56d4-46eb-9ac2-f4d72cca5c07 name: Service installation from user writable directory description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/ServiceInstallationFromUsersWritableDirectory.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml index ebc10a601c..eaccdcff60 100644 --- a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml +++ b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml @@ -1,4 +1,4 @@ id: 18b565c8-79c7-44f2-84eb-ffc4b509900c name: Rundll32 (LOLBins and LOLScripts) description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint%20Threat%20Protection%20Essentials/Hunting%20Queries/SignedBinaryProxyExecutionRundll32.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml b/Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml index a583164f12..36e37dc702 100644 --- a/Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml +++ b/Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml @@ -1,4 +1,4 @@ id: 2841b25a-54d1-4c2a-8d06-3e73ef3b6dbc name: Suspected LSASS Dump description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml b/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml index 7b50d82f0c..2e2a90f43d 100644 --- a/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml +++ b/Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml @@ -1,4 +1,4 @@ id: 484e561d-94ad-4626-bbc6-586558f1f069 name: Suspicious Windows Login outside normal hours description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Suspicious_Windows_Login_outside_normal_hours.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml b/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml index 457a8260cf..d1574da2ba 100644 --- a/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml +++ b/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml @@ -1,4 +1,4 @@ id: 5b6770dc-8490-42fd-8f20-93087a744633 name: Suspicious enumeration using Adfind tool description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Suspicious_enumeration_using_adfind.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml b/Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml index 748c20bdb3..da087ed227 100644 --- a/Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml +++ b/Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml @@ -1,4 +1,4 @@ id: 275b65d2-f621-4503-aacd-44c3cf6ad6c2 name: Summary of user logons by logon type description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/User%20Logons%20By%20Logon%20Type.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml b/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml index 37feb21609..1352d1ce40 100644 --- a/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml +++ b/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml @@ -1,4 +1,4 @@ id: ace1a7a8-25c1-4b80-9103-2e3e11713f31 name: User Account added to Built in Domain Local or Global Group description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAccountAddedToPrivlegeGroup.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml b/Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml index b62102a24a..84949840b7 100644 --- a/Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml +++ b/Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml @@ -1,4 +1,4 @@ id: 09d3679e-2ad0-4663-bc35-65f6e82a759c name: Long lookback User Account Created and Deleted within 10mins description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAccountCreatedDeleted.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml b/Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml index 9d60e31d65..89e72d0b09 100644 --- a/Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml +++ b/Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml @@ -1,4 +1,4 @@ id: 1f73fda4-4892-4a44-8359-9363f473c969 name: User account added or removed from a security group by an unauthorized user description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserAdd_RemToGroupByUnauthorizedUser.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml b/Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml index e417dee570..eb54a74ec1 100644 --- a/Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml +++ b/Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml @@ -1,4 +1,4 @@ id: b9ebdc07-9fd1-49c6-8cea-45467b2ec468 name: User created by unauthorized user description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/UserCreatedByUnauthorizedUser.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml b/Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml index 04c56ba66d..c655bc71e6 100644 --- a/Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml +++ b/Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml @@ -1,4 +1,4 @@ id: d5b1e835-3a4c-4c8a-ab53-dbe7a85a345c name: VIP account more than 6 failed logons in 10 description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/VIPAccountFailedLogons.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml b/Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml index ca296be275..6e18d592e8 100644 --- a/Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml +++ b/Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml @@ -1,4 +1,4 @@ id: 4c5efcbe-e420-49c8-8263-6c0928cabad3 name: Windows System Time changed on hosts description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/WindowsSystemTimeChange.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/masquerading_files.yaml b/Hunting Queries/SecurityEvent/masquerading_files.yaml index f2afa6d233..26fbb51768 100644 --- a/Hunting Queries/SecurityEvent/masquerading_files.yaml +++ b/Hunting Queries/SecurityEvent/masquerading_files.yaml @@ -1,4 +1,4 @@ id: 34b026e1-622f-4cd6-9a5a-d59ff067a12c name: Masquerading files description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/masquerading_files.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/new_processes.yaml b/Hunting Queries/SecurityEvent/new_processes.yaml index 48a5875b65..b4e2ce28c8 100644 --- a/Hunting Queries/SecurityEvent/new_processes.yaml +++ b/Hunting Queries/SecurityEvent/new_processes.yaml @@ -1,4 +1,4 @@ id: 2a09665a-9c60-4dc1-8d72-66611bb85580 name: New processes observed in last 24 hours description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/new_processes.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/persistence_create_account.yaml b/Hunting Queries/SecurityEvent/persistence_create_account.yaml index f795e31e0a..fa493fc4b6 100644 --- a/Hunting Queries/SecurityEvent/persistence_create_account.yaml +++ b/Hunting Queries/SecurityEvent/persistence_create_account.yaml @@ -1,4 +1,4 @@ id: 9730f589-8726-466b-9dbb-69c9428c9992 name: Summary of users created using uncommon/undocumented commandline switches description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/persistence_create_account.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/powershell_downloads.yaml b/Hunting Queries/SecurityEvent/powershell_downloads.yaml index fa9970b2ff..605a5fc180 100644 --- a/Hunting Queries/SecurityEvent/powershell_downloads.yaml +++ b/Hunting Queries/SecurityEvent/powershell_downloads.yaml @@ -1,4 +1,4 @@ id: 8519a7d1-db41-4f60-93af-aac86c8231c8 name: PowerShell downloads description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/powershell_downloads.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml b/Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml index e8a32c4799..4c75c30952 100644 --- a/Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml +++ b/Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml @@ -1,4 +1,4 @@ id: a1752686-2ac1-4b33-bb1f-8baa8abba9c6 name: New PowerShell scripts encoded on the commandline description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/powershell_newencodedscipts.yaml' \ No newline at end of file diff --git a/Hunting Queries/SecurityEvent/uncommon_processes.yaml b/Hunting Queries/SecurityEvent/uncommon_processes.yaml index b4533cec27..cba8f3ba80 100644 --- a/Hunting Queries/SecurityEvent/uncommon_processes.yaml +++ b/Hunting Queries/SecurityEvent/uncommon_processes.yaml @@ -1,4 +1,4 @@ id: 667cc590-c81c-4592-8764-aaca9dad6cf4 name: Uncommon processes - bottom 5% description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/uncommon_processes.yaml' \ No newline at end of file diff --git a/Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml b/Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml index 1a80034185..a2b979ace9 100644 --- a/Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml +++ b/Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml @@ -1,4 +1,4 @@ id: 1d78a512-ca1c-4370-8cd0-05b338a253ef name: Attempts to sign in to disabled accounts by account name description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/DisabledAccountSigninAttempts.yaml' diff --git a/Hunting Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml b/Hunting Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml index bc7c8f6a81..324116f855 100644 --- a/Hunting Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml +++ b/Hunting Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml @@ -1,4 +1,4 @@ id: 2a0096b0-85df-4fce-8f5d-e12eb65d18d0 name: Attempts to sign in to disabled accounts by IP address description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/DisabledAccountSigninAttemptsByIP.yaml' diff --git a/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml b/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml index e803fd90ee..462f3e6ae8 100644 --- a/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml +++ b/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml @@ -1,4 +1,4 @@ id: afac3fac-bbd9-4dfa-a2b1-b974982cd6ab name: Signins From VPS Providers description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/Signins-From-VPS-Providers.yaml' diff --git a/Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml b/Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml index 444e784079..454d319fff 100644 --- a/Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml +++ b/Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml @@ -1,4 +1,4 @@ id: 0fb3574a-3b04-415c-9eb8-512c5bea775f name: Signins from Nord VPN Providers description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/Signins-from-NordVPN-Providers.yaml' diff --git a/Hunting Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml b/Hunting Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml index 48108c17fa..7ba4ba5f82 100644 --- a/Hunting Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml +++ b/Hunting Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml @@ -1,4 +1,4 @@ id: e8a66d91-2de6-4050-8eb5-e12d190e96dc name: Suspicious Sign-in to Privileged Account description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials' + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Hunting%20Queries/SuspiciousSignintoPrivilegedAccount.yaml' diff --git a/Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml b/Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml index 54acc660eb..a31b5d2fe7 100644 --- a/Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml +++ b/Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml @@ -1,4 +1,4 @@ id: cb637bc8-03e5-4c69-85c9-02fb36cf2e0c name: Possible exploitation of Apache log4j component detected description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Apache_log4j_Vulnerability.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Base64_Download_Activity.yaml b/Hunting Queries/Syslog/Base64_Download_Activity.yaml index a85bbd4935..49d8798e33 100644 --- a/Hunting Queries/Syslog/Base64_Download_Activity.yaml +++ b/Hunting Queries/Syslog/Base64_Download_Activity.yaml @@ -1,4 +1,4 @@ id: 82cd9228-c724-4dfd-a14b-96af4af8974e name: Suspicious Base64 download activity detected description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Base64_Download_Activity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Container_Miner_Activity.yaml b/Hunting Queries/Syslog/Container_Miner_Activity.yaml index cb8c31fe47..08d0d38a1f 100644 --- a/Hunting Queries/Syslog/Container_Miner_Activity.yaml +++ b/Hunting Queries/Syslog/Container_Miner_Activity.yaml @@ -1,4 +1,4 @@ id: e92cb2cb-6475-4984-8553-90d3f92f0a09 name: Possible Container Miner related artifacts detected description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Container_Miner_Activity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml b/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml index f220bdcdea..5118e9efee 100644 --- a/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml +++ b/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml @@ -1,4 +1,4 @@ id: 5e90f8fb-2966-49cf-9dd3-be6c22babb9a name: Crypto currency miners EXECVE description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/CryptoCurrencyMiners.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/CryptoThreatActivity.yaml b/Hunting Queries/Syslog/CryptoThreatActivity.yaml index bbc5e70093..7bf8ee2fba 100644 --- a/Hunting Queries/Syslog/CryptoThreatActivity.yaml +++ b/Hunting Queries/Syslog/CryptoThreatActivity.yaml @@ -1,4 +1,4 @@ id: 782d2776-789f-42e1-92bb-7e6d662f3c6b name: Suspicious crytocurrency mining related threat activity detected description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/CryptoThreatActivity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Firewall_Disable_Activity.yaml b/Hunting Queries/Syslog/Firewall_Disable_Activity.yaml index 611e07c070..fffa78c2d3 100644 --- a/Hunting Queries/Syslog/Firewall_Disable_Activity.yaml +++ b/Hunting Queries/Syslog/Firewall_Disable_Activity.yaml @@ -1,4 +1,4 @@ id: 7f220c5b-677e-44a1-9b50-56c03b208b85 name: Suspicious manipulation of firewall detected via Syslog data description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Firewall_Disable_Activity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml b/Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml index e637ad12c6..189877e440 100644 --- a/Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml +++ b/Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml @@ -1,4 +1,4 @@ id: 6bb091a5-ddda-419f-bc69-684a7a2b5945 name: Possible Linux attack toolkit detected via Syslog data description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Linux_Toolkit_Detected.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Process_Termination_Activity.yaml b/Hunting Queries/Syslog/Process_Termination_Activity.yaml index a2aa6f93ed..51f855fecf 100644 --- a/Hunting Queries/Syslog/Process_Termination_Activity.yaml +++ b/Hunting Queries/Syslog/Process_Termination_Activity.yaml @@ -1,4 +1,4 @@ id: df0add0f-de42-4099-9657-34ae9de7a7f8 name: Linux security related process termination activity detected description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Process_Termination_Activity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/RareProcess_ForLxHost.yaml b/Hunting Queries/Syslog/RareProcess_ForLxHost.yaml index f060c57c02..d4f93c5153 100644 --- a/Hunting Queries/Syslog/RareProcess_ForLxHost.yaml +++ b/Hunting Queries/Syslog/RareProcess_ForLxHost.yaml @@ -1,4 +1,4 @@ id: 47a9a19a-724b-443d-bda3-01a25bb2aeb5 name: Rare process running on a Linux host description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/RareProcess_ForLxHost.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml b/Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml index 4d7d970146..58a2b0daa3 100644 --- a/Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml +++ b/Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml @@ -1,4 +1,4 @@ id: 6963e4f9-ac8e-4b6d-933e-a7fc2142a78e name: SCX Execute RunAs Providers description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SCXExecuteRunAsProviders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/SchedTaskAggregation.yaml b/Hunting Queries/Syslog/SchedTaskAggregation.yaml index eb98b43741..3c1f6ce563 100644 --- a/Hunting Queries/Syslog/SchedTaskAggregation.yaml +++ b/Hunting Queries/Syslog/SchedTaskAggregation.yaml @@ -1,4 +1,4 @@ id: deb432fc-683b-4f8d-976e-d65e2bcf9a4e name: Linux scheduled task Aggregation description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SchedTaskAggregation.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml b/Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml index 8b1f0941b9..84b4108180 100644 --- a/Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml +++ b/Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml @@ -1,4 +1,4 @@ id: 4dbfdd9c-187a-49d8-8744-2af0f91f36b5 name: Editing Linux scheduled tasks through Crontab description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/SchedTaskEditViaCrontab.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml b/Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml index cbc77ac06b..838ad5d83d 100644 --- a/Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml +++ b/Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml @@ -1,4 +1,4 @@ id: 9700f1da-7b1c-4702-820e-9c9ec8f2ec55 name: Suspicious Shell script detected description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection' \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Hunting%20Queries/Suspicious_ShellScript_Activity.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/squid_abused_tlds.yaml b/Hunting Queries/Syslog/squid_abused_tlds.yaml index 3aa80d7ab6..f51178b8e2 100644 --- a/Hunting Queries/Syslog/squid_abused_tlds.yaml +++ b/Hunting Queries/Syslog/squid_abused_tlds.yaml @@ -1,4 +1,4 @@ id: 2115e5f0-7dca-4469-8e67-e7a100f1f6ab name: Squid commonly abused TLDs description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_abused_tlds.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/squid_malformed_requests.yaml b/Hunting Queries/Syslog/squid_malformed_requests.yaml index 08e9a02707..b5cf95fc4d 100644 --- a/Hunting Queries/Syslog/squid_malformed_requests.yaml +++ b/Hunting Queries/Syslog/squid_malformed_requests.yaml @@ -1,4 +1,4 @@ id: 5a615b8f-a22c-48a7-9014-b2d3da112a44 name: Squid malformed requests description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_malformed_requests.yaml' \ No newline at end of file diff --git a/Hunting Queries/Syslog/squid_volume_anomalies.yaml b/Hunting Queries/Syslog/squid_volume_anomalies.yaml index 29c133e5a3..fa29a475aa 100644 --- a/Hunting Queries/Syslog/squid_volume_anomalies.yaml +++ b/Hunting Queries/Syslog/squid_volume_anomalies.yaml @@ -1,4 +1,4 @@ id: c43430c6-0d03-4be5-9549-535a61770bf2 name: Squid data volume timeseries anomalies description: | - 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog' \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Hunting%20Queries/squid_volume_anomalies.yaml' \ No newline at end of file diff --git a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml index 51488796f7..b369ba6dc8 100644 --- a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml +++ b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml @@ -1,4 +1,4 @@ id: e8f35698-1bdd-4f8d-b416-8d1e4f7ae195 name: Preview - TI map File entity to OfficeActivity Event description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_OfficeActivity.yaml' \ No newline at end of file diff --git a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml index 93b86cc8d7..105dbd5e3a 100644 --- a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml +++ b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml @@ -1,4 +1,4 @@ id: 4fb17aa0-d404-4a66-aa68-b37156c8c506 name: Preview - TI map File entity to Security Event description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_SecurityEvent.yaml' \ No newline at end of file diff --git a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml index de7c05225b..bc481e296b 100644 --- a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml +++ b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml @@ -1,4 +1,4 @@ id: d5a41ea2-3dbb-476f-94fe-8df6521af740 name: Preview - TI map File entity to Syslog Event description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_Syslog.yaml' \ No newline at end of file diff --git a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml index 40b5fa8c34..3417de3cd7 100644 --- a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml +++ b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml @@ -1,4 +1,4 @@ id: c23db0e9-0caa-4904-96fb-e72d2317b0af name: Preview - TI map File entity to VMConnection Event description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_VMConnection.yaml' \ No newline at end of file diff --git a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml index f3afc06e08..31a3ab5caa 100644 --- a/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml +++ b/Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml @@ -1,4 +1,4 @@ id: 629ecb36-3d3c-4567-8e13-7688b0ed4414 name: Preview - TI map File entity to WireData Event description: | - As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence' \ No newline at end of file + As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Hunting%20Queries/FileEntity_WireData.yaml' \ No newline at end of file