Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Entity Work April 16 

Required items, please complete

   Change(s):
   - Removing custom entity mappings
   - splitting host and account

   Reason for Change(s):
   - Required for entity work

   Version Updated:
   - yes

   Testing Completed:
   - yes

   Checked that the validations are passing and have addressed any issues that are present:
   - No
This commit is contained in:
Manuel Melendez 2024-04-16 15:01:28 -07:00
Родитель e518483206
Коммит c50964aaf0
10 изменённых файлов: 59 добавлений и 43 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

7
Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
Просмотреть файл

@ -69,19 +69,18 @@ query: |
| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction
// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)
| where Periodicity >= (10*TimeDeltaThresholdInSeconds)
| extend timestamp = StartTime, IPCustomEntity = DestinationIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.3
columnName: DestinationIP
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: robMSFT
name: Microsoft Security Research
support:
tier: Community
categories:

7
Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml
Просмотреть файл

@ -110,23 +110,22 @@ query: |
)
on Name
| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource
| extend timestamp=StartTime, IPCustomEntity=SourceIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
columnName: SourceIP
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Name
version: 1.0.2
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: robMSFT
name: Microsoft Security Research
support:
tier: Community
categories:

8
Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml
Просмотреть файл

@ -74,20 +74,18 @@ query: |
| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies
| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies
| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies
| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
columnName: SourceIPMax
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Ashwin Patil
name: Microsoft Security Research
support:
tier: Community
categories:

12
Detections/DuoSecurity/TrustMonitorEvent.yaml
Просмотреть файл

@ -14,17 +14,21 @@ query: |
let timeframe = ago(5m);
DuoSecurityTrustMonitor_CL
| where TimeGenerated >= timeframe
| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s
| extend AccountName = tostring(split(surfaced_auth_user_name_s, "@")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
columnName: surfaced_auth_user_name_s
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
columnName: surfaced_auth_access_device_ip_s
version: 1.0.3
kind: Scheduled
metadata:
source:

9
Detections/MultipleDataSources/MalformedUserAgents.yaml
Просмотреть файл

@ -83,22 +83,21 @@ query: |
or UserAgent matches regex @"MSIE\s?;"
// Incorrect spacing around MSIE version
or UserAgent matches regex @"MSIE(?:\d|.{1,5}?\d\s;)"
| extend timestamp = StartTime, IPCustomEntity = SourceIP, Name = split(Account, "@")[0], UPNSuffix = split(Account, "@")[1]
| extend AccountName = split(Account, "@")[0], UPNSuffix = split(Account, "@")[1]
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Account
- identifier: Name
columnName: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.4
columnName: SourceIP
version: 1.0.5
kind: Scheduled
metadata:
source:

22
Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml
Просмотреть файл

@ -77,27 +77,37 @@ query: |
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
columnName: Account
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
columnName: IPAddress
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Ajeet Prakash
name: Microsoft Security Research
support:
tier: Community
categories:

5
Detections/PulseConnectSecure/PulseConnectSecureVPN-CVE_2021_22893_Exploit.yaml
Просмотреть файл

@ -21,13 +21,12 @@ query: |
| where Messages contains "Unauthenticated request url /dana-na/"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
| where count_ > threshold
| extend timestamp = StartTime, IPCustomEntity = Source_IP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
columnName: Source_IP
version: 1.0.2
kind: Scheduled
metadata:
source:

13
Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
Просмотреть файл

@ -26,19 +26,24 @@ query: |
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.3
columnName: VirtualMAchine
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Ajeet Prakash
name: Microsoft Security Research
support:
tier: Community
categories:

7
Detections/W3CIISLog/HighPortCountByClientIP.yaml
Просмотреть файл

@ -62,19 +62,18 @@ query: |
| where portCount >= portThreshold
| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount
| order by portCount
| extend timestamp = TimeGenerated, IPCustomEntity = cIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
columnName: cIP
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Shain
name: Microsoft Security Research
support:
tier: Community
categories:

12
Detections/ZoomLogs/E2EEDisbaled.yaml
Просмотреть файл

@ -19,19 +19,23 @@ query: |
| extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
| extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
| extend timestamp = TimeGenerated, AccountCustomEntity = User
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.2
columnName: User
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Pete Bryan
name: Microsoft Security Research
support:
tier: Community
categories: