Update versions
This commit is contained in:
hannah.oneill@cybercx.com.au
Родитель
87223204d0
Коммит
cbb05d9204
|
|
@ -64,7 +64,7 @@ entityMappings:
|
|||
customDetails:
|
||||
IpAddresses: IpAddresses
|
||||
ReportedBy: ReportedBy
|
||||
version: 1.2.4
|
||||
version: 1.2.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
id: 983a6922-894d-413c-9f04-d7add0ecc307
|
||||
name: Potential DGA detected (ASIM DNS Schema)
|
||||
description: |
|
||||
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).
|
||||
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with
|
||||
NXDomain records in prior 10-day baseline period).
|
||||
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
@ -70,7 +71,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
version: 1.3.3
|
||||
version: 1.3.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ customDetails:
|
|||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
|
||||
alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -109,7 +109,7 @@ alertDetailsOverride:
|
|||
customDetails:
|
||||
DGAPattern: DGADomain
|
||||
NameCount: NameCount
|
||||
version: 1.1.3
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ customDetails:
|
|||
|
||||
eventGroupingSettings:
|
||||
aggregationKind: AlertPerResult
|
||||
version: 1.1.3
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ entityMappings:
|
|||
columnName: VirtualMachineName
|
||||
- identifier: AzureID
|
||||
columnName: Scope
|
||||
version: 1.0.7
|
||||
version: 1.0.8
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: RequestURL
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: DestinationIP
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: DomainName
|
||||
columnName: Name
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ customDetails:
|
|||
OSType: OSType
|
||||
OSName: OSName
|
||||
kind: Scheduled
|
||||
version: 1.1.3
|
||||
version: 1.1.4
|
||||
metadata:
|
||||
source:
|
||||
kind: Community
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: RequestTarget
|
||||
version: 1.1.3
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIP
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: DeviceName
|
||||
version: 1.2.2
|
||||
version: 1.2.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: RequestURL
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.1.1
|
||||
version: 1.1.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIP
|
||||
version: 1.0.5
|
||||
version: 1.0.6
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -123,7 +123,7 @@ entityMappings:
|
|||
columnName: TargetName
|
||||
- identifier: UPNSuffix
|
||||
columnName: TargetUPNSuffix
|
||||
version: 2.1.6
|
||||
version: 2.1.7
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -111,7 +111,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: CallerIpAddress
|
||||
version: 1.0.9
|
||||
version: 1.0.10
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIP
|
||||
version: 1.0.5
|
||||
version: 1.0.6
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddress
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -138,4 +138,4 @@ alertDetailsOverride:
|
|||
- alertProperty: ProductComponentName
|
||||
value: "Microsoft Defender"
|
||||
kind: Scheduled
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: PublicIP
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: PublicIP
|
||||
version: 1.1.1
|
||||
version: 1.1.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: PublicIP
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: PublicIP
|
||||
version: 1.0.5
|
||||
version: 1.0.6
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ entityMappings:
|
|||
columnName: ImageFileName
|
||||
- identifier: Directory
|
||||
columnName: ImageDirectory
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -137,7 +137,7 @@ entityMappings:
|
|||
columnName: GroupAddHostName
|
||||
- identifier: DnsDomain
|
||||
columnName: GroupAddHostNameDomain
|
||||
version: 1.1.6
|
||||
version: 1.1.7
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIPAddress
|
||||
version: 1.1.6
|
||||
version: 1.1.7
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: FirstIPAddress
|
||||
version: 1.2.5
|
||||
version: 1.2.6
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.3.7
|
||||
version: 1.3.8
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.2.1
|
||||
version: 1.2.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.2.2
|
||||
version: 1.2.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ entityMappings:
|
|||
columnName: HostName
|
||||
- identifier: NTDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: cIP
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: _ResourceId
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
|||
|
|
@ -49,5 +49,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -51,5 +51,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -46,5 +46,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIpAddress
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: NRT
|
||||
|
|
|
|||
|
|
@ -43,5 +43,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: MaliciousHost
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -34,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: VirtualMachine
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
@ -97,5 +97,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: Account
|
||||
version: 1.0.7
|
||||
version: 1.0.8
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -50,5 +50,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddress
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -76,5 +76,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: CallerIPMax
|
||||
version: 1.0.7
|
||||
version: 1.0.8
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -81,5 +81,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: CallerIPAddress
|
||||
version: 1.0.5
|
||||
version: 1.0.6
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -80,5 +80,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
||||
version: 1.1.1
|
||||
version: 1.1.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -79,5 +79,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: ResourceId
|
||||
version: 1.1.1
|
||||
version: 1.1.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -60,5 +60,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: clientIp_s
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -53,5 +53,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -33,5 +33,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -61,5 +61,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.6
|
||||
version: 1.0.7
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -49,5 +49,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -63,5 +63,5 @@ entityMappings:
|
|||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -65,5 +65,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: DeletingIP
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
@ -51,5 +51,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -29,5 +29,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: NRT
|
||||
|
|
|
|||
|
|
@ -68,5 +68,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -51,5 +51,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IpAddress
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -84,5 +84,5 @@ alertDetailsOverride:
|
|||
alertDescriptionFormat: |
|
||||
This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
|
||||
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -68,5 +68,5 @@ alertDetailsOverride:
|
|||
alertDescriptionFormat: |
|
||||
This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
|
||||
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -83,5 +83,5 @@ entityMappings:
|
|||
columnName: AdminInitiatorName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AdminInitiatorUPNSuffix
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
@ -2,7 +2,7 @@ id: 20d52a04-b5d8-402d-88e2-7929d12cbdcd
|
|||
name: Disable or Modify Windows Defender
|
||||
description: |
|
||||
This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes.
|
||||
Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule.
|
||||
Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule.
|
||||
See blogpost (https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab?source=friends_link&sk=3c7c499797bbb4d74879e102ef3ecf8f) for more resilience considerations. The current approach can easily be bypassed by not using the powershell.exe executable.
|
||||
Consider adding more ways to detect this behavior.
|
||||
severity: Medium
|
||||
|
|
@ -42,5 +42,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: CommandLine
|
||||
columnName: ProcessCommandLine
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -43,5 +43,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: CommandLine
|
||||
columnName: ProcessCommandLine
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -41,5 +41,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: CommandLine
|
||||
columnName: InitiatingProcessCommandLine
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -75,5 +75,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: SourceUserName
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -44,5 +44,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: CommandLine
|
||||
columnName: ProcessCommandLine
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -44,5 +44,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetDetails
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -123,4 +123,4 @@ alertDetailsOverride:
|
|||
|
||||
tags:
|
||||
- Schema: ASIMNetworkSession
|
||||
SchemaVersion: 0.2.4
|
||||
SchemaVersion: 0.2.5
|
||||
|
|
|
|||
|
|
@ -84,5 +84,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
||||
version: 2.1.0
|
||||
version: 2.1.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -67,5 +67,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
||||
version: 2.1.1
|
||||
version: 2.1.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -78,5 +78,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: Site_Url
|
||||
version: 2.2.3
|
||||
version: 2.2.4
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -46,5 +46,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: ClientIP
|
||||
version: 2.0.5
|
||||
version: 2.0.6
|
||||
kind: Scheduled
|
||||
|
|
@ -55,5 +55,5 @@ incidentConfiguration:
|
|||
- Account
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -55,5 +55,5 @@ incidentConfiguration:
|
|||
- Account
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -45,5 +45,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: PublicIP
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -63,5 +63,5 @@ alertDetailsOverride:
|
|||
This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an
|
||||
individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}}
|
||||
different locations.
|
||||
version: 2.0.3
|
||||
version: 2.0.4
|
||||
kind: Scheduled
|
||||
|
|
@ -73,5 +73,5 @@ alertDetailsOverride:
|
|||
and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look
|
||||
to pivot to other tenants leveraging cross-tenant delegated access in this manner.
|
||||
In this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.
|
||||
version: 2.0.2
|
||||
version: 2.0.3
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -73,5 +73,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddressFirst
|
||||
version: 1.0.6
|
||||
version: 1.0.7
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -92,5 +92,5 @@ alertDetailsOverride:
|
|||
is absolutely necessary for the applications function.
|
||||
In this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}
|
||||
Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -102,5 +102,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddress
|
||||
version: 1.0.6
|
||||
version: 1.0.7
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -57,5 +57,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddress
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -82,5 +82,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPAddress
|
||||
version: 1.0.6
|
||||
version: 1.0.7
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -105,5 +105,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: InitiatingIpAddress
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -176,4 +176,4 @@ alertDetailsOverride:
|
|||
- alertProperty: ProductComponentName
|
||||
value: "AWSGuarduty"
|
||||
kind: Scheduled
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
|
|
|
|||
|
|
@ -148,4 +148,4 @@ alertDetailsOverride:
|
|||
- alertProperty: ProductComponentName
|
||||
value: "Microsoft Security"
|
||||
kind: Scheduled
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
|
|
|
|||
|
|
@ -144,4 +144,4 @@ alertDetailsOverride:
|
|||
- alertProperty: ProductComponentName
|
||||
value: "AWSGuardDuty"
|
||||
kind: Scheduled
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
|
|
|
|||
|
|
@ -142,4 +142,4 @@ alertDetailsOverride:
|
|||
- alertProperty: ProductComponentName
|
||||
value: "AWSGuardDuty"
|
||||
kind: Scheduled
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
|
|
|
|||
|
|
@ -86,5 +86,5 @@ customDetails:
|
|||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Excessive number of failed connections from {{SrcIpAddr}}
|
||||
alertDescriptionFormat: 'The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.'
|
||||
version: 1.2.5
|
||||
version: 1.2.6
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -90,5 +90,5 @@ entityMappings:
|
|||
customDetails:
|
||||
AttemptedPortsCount: AttemptedPortsCount
|
||||
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
id: fcb9d75c-c3c1-4910-8697-f136bfef2363
|
||||
name: Potential beaconing activity (ASIM Network Session schema)
|
||||
description: |
|
||||
This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).
|
||||
This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns.
|
||||
Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).
|
||||
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
|
||||
severity: Low
|
||||
status: Available
|
||||
|
|
@ -154,5 +155,5 @@ customDetails:
|
|||
FrequencyTime: MostFrequentTimeDeltaCount
|
||||
TotalDstBytes: TotalDstBytes
|
||||
|
||||
version: 1.1.4
|
||||
version: 1.1.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -66,5 +66,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: RequestURL
|
||||
version: 1.1.5
|
||||
version: 1.1.6
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -80,5 +80,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIP
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
@ -65,5 +65,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.4
|
||||
version: 1.0.5
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -48,5 +48,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: User
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -55,5 +55,5 @@ entityMappings:
|
|||
columnName: UPNSuffix
|
||||
- identifier: AadUserId
|
||||
columnName: AadUserId
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -37,5 +37,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: SourceSystem
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -40,5 +40,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: SourceSystem
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -36,5 +36,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: SourceSystem
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -37,5 +37,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: SourceSystem
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -36,5 +36,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ResourceId
|
||||
columnName: SourceSystem
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче