Fixes for IP, User, Process

2020-10-20 17:48:45 -07:00 · 2020-10-20 17:48:45 -07:00 · caeb9b887b
--- a/Queries/SecurityAlert/AlertsForIP.yaml
+++ b/Queries/SecurityAlert/AlertsForIP.yaml
@ -23,11 +23,15 @@ query: |
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
  // expand JSON properties
-  | where ExtendedProperties contains v_ipAddress or Entities contains v_ipAddress
-  | extend Extprop = parsejson(ExtendedProperties)
-  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
-  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
-  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | extend Extprop = parsejson(Entities)
+  | mv-expand Extprop
+  | extend Extprop = parsejson(Extprop)
+  | extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '') 
+  | where IpAddress == v_ipAddress
+  | extend Account = Extprop['Name']
+  | extend Domain = Extprop['UPNSuffix']
+  | extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
+  | extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
  | project StartTimeUtc = StartTime, EndTimeUtc = EndTime, AlertName, Computer, Account, IpAddress, ExtendedProperties, Entities
  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
--- a/Queries/SecurityAlert/AlertsForUser.yaml
+++ b/Queries/SecurityAlert/AlertsForUser.yaml
@ -22,12 +22,15 @@ query: |
  let v_EndTime = suspiciousEventTime+6h;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
+  | extend Extprop = parsejson(Entities)
+  | mv-expand Extprop
+  | extend Extprop = parsejson(Extprop)
+  | extend Account = Extprop['Name']
+  | extend Domain = Extprop['UPNSuffix']
+  | extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
  | where Account contains v_User
-  // expand JSON properties
-  | extend Extprop = parsejson(ExtendedProperties)
-  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
-  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
-  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
+  | extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
+  | extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '') 
  | project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  };
--- a/Queries/SecurityAlert/AlertsWithProcess.yaml
+++ b/Queries/SecurityAlert/AlertsWithProcess.yaml
@ -21,14 +21,21 @@ query: |
  let v_EndTime = suspiciousEventTime+1d;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
-  | where ProcessName has v_Process
-  | extend Extprop = parsejson(ExtendedProperties)
-  | extend ProcessName = parse_json(ExtendedProperties).["Suspicious Process"]
-  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
-  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
-  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
-  | project TimeGenerated, AlertName, ProcessName, Computer, Account, IpAddress, ExtendedProperties 
-  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
+  | where Entities has v_Process
+  | extend Extprop = parsejson(Entities)
+  | mv-expand Extprop
+  | extend Extprop = parsejson(Extprop)
+  | extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
+  | extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
+  | extend Account = Extprop['Name']
+  | extend Domain = Extprop['UPNSuffix']
+  | extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
+  | extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
+  | extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
+  | extend Process = iff(isnotempty(CmdLine), CmdLine, File)
+  | summarize max(TimeGenerated), make_set(AlertName), make_set(Process), make_set(Computer), make_set(Account), make_set(IpAddress), make_set(Entities) by SystemAlertId
+  | project TimeGenerated = max_TimeGenerated, AlertName=set_AlertName[0], Process=set_Process[1], Account = set_Account[1], Computer=set_Computer[0], IPAddress = set_IpAddress[1], Entities=set_Entities
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
  | top 10 by TimeGenerated desc nulls last
  };
  // change datetime value and <processname> value below