Merge pull request #3513 from socprime/cisco_duo_content

ciscoduo content

.script/tests/KqlvalidationsTests/CustomTables/CiscoDuo.json

@@ -0,0 +1,333 @@
+{
+    "Name": "CiscoDuo",
+    "Properties": [
+        {
+            "Name": "AccessDvcBrowser",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "AccessDvcBrowserVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcEncryptionEnabled",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "AccessDvcFirewallEnabled",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "AccessDvcFlashVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcJavaVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcFlashVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcLocationState",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcOsVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "AccessDvcPasswordSet",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "AccessDvcSecurityAgents",
+            "Type": "String"
+        },
+        {
+            "Name": "Alias",
+            "Type": "String"
+        },
+        {
+            "Name": "AuthDeviceCity",
+            "Type": "String"
+        },
+        {
+            "Name": "AuthDeviceCountry",
+            "Type": "String"
+        },
+        {
+            "Name": "AuthDeviceState",
+            "Type": "String"
+        },
+        {
+            "Name": "AuthFactor",
+            "Type": "String"
+        },
+        {
+            "Name": "Context",
+            "Type": "String"
+        },
+        {
+            "Name": "Credits",
+            "Type": "Double"
+        },
+        {
+            "Name": "description_s",
+            "Type": "String"
+        },
+        {
+            "Name": "DstGeoRegion",
+            "Type": "String"
+        },
+        {
+            "Name": "DstUserName",
+            "Type": "String"
+        },
+        {
+            "Name": "DvcAction",
+            "Type": "String"
+        },
+        {
+            "Name": "DvcHostname",
+            "Type": "String"
+        },
+        {
+            "Name": "EventEndTime",
+            "Type": "String"
+        },
+        {
+            "Name": "EventProduct",
+            "Type": "String"
+        },
+        {
+            "Name": "EventResult",
+            "Type": "String"
+        },
+        {
+            "Name": "EventResultDetails",
+            "Type": "String"
+        },
+        {
+            "Name": "EventType",
+            "Type": "String"
+        },
+        {
+            "Name": "EventUid",
+            "Type": "String"
+        },
+        {
+            "Name": "EventVendor",
+            "Type": "String"
+        },
+        {
+            "Name": "Explanations",
+            "Type": "String"
+        },
+        {
+            "Name": "FromCommonNetblock",
+            "Type": "String"
+        },
+        {
+            "Name": "FromNewUser",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "HttpUserAgentOriginal",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "IsoTimestamp",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "Phone",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "PriorityEvent",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "PriorityReasons",
+            "Type": "String"
+        },
+        {
+            "Name": "Sekey",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcAppId",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcAppName",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcDomainType",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcDvcOs",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcDvcType",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcGeoCity",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcGeoCountry",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcHostname",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcRiskLevel",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "SrcUserId",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcUserName",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceBrowser",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceBrowserVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceEncryptionEnabled",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceFirewallEnabled",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceIp",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceLocationCity",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceLocationCountry",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceLocationState",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceOs",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceOsVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDevicePasswordSet",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAccessDeviceSecurityAgents",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthAlias",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthApplicationKey",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthApplicationName",
+            "Type": "Double"
+        },
+        {
+            "Name": "SurfacedAuthEmail",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthFactor",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "SurfacedAuthIsotimestamp",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "SurfacedAuthOodSoftware",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthReason",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthResult",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthTimestamp",
+            "Type": "Double"
+        },
+        {
+            "Name": "SurfacedAuthTransactionId",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthUserGroups",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthUserKey",
+            "Type": "String"
+        },
+        {
+            "Name": "SurfacedAuthUserName",
+            "Type": "Double"
+        },
+        {
+            "Name": "SurfacedTimestamp",
+            "Type": "Double"
+        },
+        {
+            "Name": "TransactionId",
+            "Type": "String"
+        },
+        {
+            "Name": "TriagedAsInteresting",
+            "Type": "Boolean"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -33,6 +33,7 @@
   "CEF",
   "CheckPoint",
   "CiscoASA",
+  "CiscoDuoSecurity",
   "CiscoFirepowerEStreamer",
   "CiscoISE",
   "CiscoMeraki",

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoADSyncFailed.yaml

@@ -0,0 +1,28 @@
+id: 398dd1cd-3251-49d8-b927-5b93bae4a094
+name: Cisco Duo - AD sync failed
+description: |
+  'Detects when AD syncronization failed.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1489
+query: |
+  CiscoDuo
+  | where DvcAction =~ "ad_sync_failed"
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminDeleted.yaml

@@ -0,0 +1,28 @@
+id: 6424c623-31a5-4892-be33-452586fd4075
+name: Cisco Duo - Admin user deleted
+description: |
+  'Detects when admin user is deleted.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  CiscoDuo
+  | where DvcAction =~ "admin_delete"
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml

@@ -0,0 +1,31 @@
+id: e46c5588-e643-4a60-a008-5ba9a4c84328
+name: Cisco Duo - Multiple admin 2FA failures
+description: |
+  'Detects when multiple admin 2FA failures occurs.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let threshold = 10;
+  CiscoDuo
+  | where DvcAction =~ "admin_2fa_error"
+  | summarize count() by DstUserName, bin(TimeGenerated, 10m)
+  | where count_ > threshold
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled 

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml

@@ -0,0 +1,28 @@
+id: 413e49a5-b107-4698-8428-46b89308bd22
+name: Cisco Duo - Admin password reset
+description: |
+  'Detects when admin's password was reset.'
+severity: High
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where DvcAction =~ "admin_reset_password"
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUserLoginFailures.yaml

@@ -0,0 +1,32 @@
+id: 034f62b6-df51-49f3-831f-1e4cfd3c40d2
+name: Cisco Duo - Multiple user login failures
+description: |
+  'Detects when multiple user login failures occurs.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let threshold = 10;
+  CiscoDuo
+  | where EventType =~ 'authentication'
+  | where EventResult in~ ('denied', 'failure')
+  | summarize count() by DstUserName, bin(TimeGenerated, 10m)
+  | where count_ > threshold
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUsersDeleted.yaml

@@ -0,0 +1,30 @@
+id: 6e4f9031-91d3-4fa1-8baf-624935f04ad8
+name: Cisco Duo - Multiple users deleted
+description: |
+  'Detects when multiple users were deleted.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  CiscoDuo
+  | where DvcAction =~ "user_delete"
+  | summarize count() by DstUserName, bin(TimeGenerated, 10m)
+  | where count_ > 1
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAccessDevice.yaml

@@ -0,0 +1,39 @@
+id: f05271b6-26a5-49cf-ad73-4a202fba6eb6
+name: Cisco Duo - New access device
+description: |
+  'Detects new access device.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where EventType =~ 'authentication'
+  | where EventResult =~ 'success'
+  | where isnotempty(AccessDvcIpAddr)
+  | summarize dvc_ip = makeset(AccessDvcIpAddr) by DstUserName
+  | join (CiscoDuo
+          | where EventType =~ 'authentication'
+          | where EventResult =~ 'success') on DstUserName
+  | where dvc_ip !has AccessDvcIpAddr
+  | extend IPCustomEntity = AccessDvcIpAddr, AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAdmin.yaml

@@ -0,0 +1,29 @@
+id: 0724cb01-4866-483d-a149-eb400fe1daa8
+name: Cisco Duo - Admin user created
+description: |
+  'Detects when new admin user is created.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where DvcAction =~ "admin_create"
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAuthDeviceLocation.yaml

@@ -0,0 +1,39 @@
+id: 01df3abe-3dc7-40e2-8aa7-f00b402df6f0
+name: Cisco Duo - Authentication device new location
+description: |
+  'Detects new location of authentication device.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where EventType =~ 'authentication'
+  | where EventResult =~ 'success'
+  | where isnotempty(AuthDeviceCountry)
+  | summarize src_c = makeset(AuthDeviceCountry) by SrcIpAddr
+  | join (CiscoDuo
+          | where EventType =~ 'authentication'
+          | where EventResult =~ 'success') on SrcIpAddr
+  | where src_c !has AuthDeviceCountry
+  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml

@@ -0,0 +1,35 @@
+id: 16c91a2c-17ad-4985-a9ad-4a4f1cb11830
+name: Cisco Duo - Unexpected authentication factor
+description: |
+  'Detects when unexpected authentication factor used.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let allowed_auth_f = dynamic(['duo_push', 'duo_mobile_passcode']);
+  CiscoDuo
+  | where EventType =~ 'authentication'
+  | where EventResult =~ 'success'
+  | where AuthFactor !in~ (allowed_auth_f)
+  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdmin2FAFailure.yaml

@@ -0,0 +1,28 @@
+id: 421bbeed-ad5b-4acd-9f0b-6b609da33914
+name: Cisco Duo - Admin failure authentications
+description: |
+  'Query searches for administrator issue completing secondary authentication.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ "admin_2fa_error"
+  | project TimeGenerated, SrcIpAddr, DstUserName
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminDeleteActions.yaml

@@ -0,0 +1,28 @@
+id: c6386cad-2dd2-436c-a938-bc66dda6c01a
+name: Cisco Duo - Delete actions
+description: |
+  'Query searches for delete actions performed by admin users.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where DvcAction in~ ('activation_delete_link', 'admin_activation_delete', 'admin_delete', 'azure_directory_delete', 'bypass_delete', 'delete_child_customer', 'directory_delete', 'feature_delete', 'group_delete', 'hardtoken_delete', 'integration_delete', 'phone_delete', 'policy_delete', 'u2ftoken_delete', 'user_delete')
+  | project TimeGenerated, SrcIpAddr, DstUserName
+  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminFailure.yaml

@@ -0,0 +1,28 @@
+id: 385b0938-3922-48ab-a57a-cb8650ab71a3
+name: Cisco Duo - Admin failure authentications
+description: |
+  'Query searches admin failure authentication events.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ "admin_login_error"
+  | project TimeGenerated, SrcIpAddr, DstUserName
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorEvents.yaml

@@ -0,0 +1,29 @@
+id: b8c43652-1b79-4b18-a348-a719bafad6d3
+name: Cisco Duo - Authentication errors
+description: |
+  'Query searches for authentication errors.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where EventType =~ 'authentication'
+  | where EventResult =~ 'error'
+  | project TimeGenerated, DstUserName, SrcIpAddr, EventResultDetails
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorReasons.yaml

@@ -0,0 +1,25 @@
+id: 5653900e-4b21-408d-84da-e4db3da891bb
+name: Cisco Duo - Authentication error reasons
+description: |
+  'Query searches for authentication error reasons.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where EventType =~ 'authentication'
+  | where EventResult in~ ('denied', 'failure')
+  | summarize count() by EventResultDetails, DstUserName
+  | extend AccountCustomEntity = DstUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoDeletedUsers.yaml

@@ -0,0 +1,28 @@
+id: 5d0b00fd-1dc0-4e1b-ae09-5cec3b4fadf6
+name: Cisco Duo - Deleted users
+description: |
+  'Query searches for deleted users.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ "user_delete"
+  | project TimeGenerated, SrcIpAddr, SrcUserName, DstUserName
+  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoFraudAuthentication.yaml

@@ -0,0 +1,29 @@
+id: b8f46142-cebc-435d-9943-2ed74e1eaba7
+name: Cisco Duo - Fraud authentications
+description: |
+  'Query searches for fraud authentication events.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where EventType =~ 'authentication'
+  | where EventResult =~ 'fraud'
+  | project TimeGenerated, DstUserName, SrcIpAddr
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoNewUsers.yaml

@@ -0,0 +1,29 @@
+id: 72c81132-bc09-4a2f-9c32-02e2e9ee7978
+name: Cisco Duo - New users
+description: |
+  'Query searches for new users created.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where DvcAction "user_create"
+  | project TimeGenerated, SrcIpAddr, SrcUserName, DstUserName
+  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnpachedAccessDevices.yaml

@@ -0,0 +1,30 @@
+id: 9de62fee-f601-43c9-8757-2098e59fedeb
+name: Cisco Duo - Devices with vulnerable OS
+description: |
+  'Query searches for devices with vulnerable OS.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let os_latest = 'x.x.xxx'; //put the latest version of OS here before running the query
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where EventType =~ 'authentication'
+  | where AccessDvcOsVersion != os_latest
+  | project TimeGenerated, SrcIpAddr, DstUserName
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnsecuredDevices.yaml

@@ -0,0 +1,29 @@
+id: c308e737-e620-4c89-ab1e-a186e901b087
+name: Cisco Duo - Devices with unsecure settings
+description: |
+  'Query searches for devices with unsecure settings.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoDuoSecurity
+    dataTypes:
+      - CiscoDuo
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  CiscoDuo
+  | where TimeGenerated > ago(24h)
+  | where EventType =~ 'authentication'
+  | where  AccessDvcEncryptionEnabled == False or AccessDvcFirewallEnabled == False or AccessDvcPasswordSet == False
+  | project TimeGenerated, SrcIpAddr, DstUserName
+  | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoDuoSecurity/Workbooks/CiscoDuo.json

@@ -0,0 +1,333 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoDuo** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscoduo-parser)"
+      },
+      "name": "text - 8"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "description": "Sets the time name for analysis",
+            "value": {
+              "durationMs": 7776000000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
+        "size": 0,
+        "title": "Events Over Time",
+        "color": "greenDark",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "timechart",
+        "graphSettings": {
+          "type": 0
+        }
+      },
+      "customWidth": "40",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "55"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\n| summarize count() by SrcGeoCountry",
+        "size": 0,
+        "title": "Countries summary",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "30",
+      "name": "query - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "let tot_dvc = CiscoDuo\r\n| summarize e_count=dcount(SrcHostname)\r\n| extend Title='Authentication Devices';\r\nlet tot_usr = CiscoDuo\r\n| where EventType =~ 'authentication'\r\n| where EventResult =~ 'success'\r\n| summarize e_count=dcount(DstUserName)\r\n| extend Title='Total Users';\r\nlet tot_adm = CiscoDuo\r\n| where EventType =~ 'admin_login'\r\n| summarize e_count=dcount(DstUserName)\r\n| extend Title='Admin users';\r\nunion isfuzzy=true tot_dvc, tot_usr, tot_adm\r\n| order by e_count",
+        "size": 3,
+        "title": "Summary",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "Title",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "e_count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "style": "decimal",
+                "maximumFractionDigits": 2,
+                "maximumSignificantDigits": 3
+              }
+            }
+          },
+          "secondaryContent": {
+            "columnMatch": "Trend",
+            "formatter": 9,
+            "formatOptions": {
+              "palette": "purple"
+            }
+          },
+          "showBorder": false
+        }
+      },
+      "customWidth": "25",
+      "name": "query - 0",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr",
+        "size": 3,
+        "title": "Source Addresses",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "33",
+      "name": "query - 3",
+      "styleSettings": {
+        "margin": "10",
+        "padding": "10"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\r\n| where isnotempty(DstUserName)\r\n| summarize count() by DstUserName\r\n| top 10 by count_",
+        "size": 3,
+        "title": "Top Users",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "gridSettings": {
+          "sortBy": [
+            {
+              "itemKey": "TotalEvents",
+              "sortOrder": 2
+            }
+          ]
+        },
+        "sortBy": [
+          {
+            "itemKey": "TotalEvents",
+            "sortOrder": 2
+          }
+        ]
+      },
+      "customWidth": "33",
+      "name": "query - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\n| where EventType =~ 'authentication'\n| where EventResult =~ 'success'\n| summarize e_count = count() by SrcDvcOs\n| project-rename  DeviceOS=SrcDvcOs",
+        "size": 0,
+        "title": "Device OS Types",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "User",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "TotalMailsReceived",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          },
+          "secondaryContent": {
+            "columnMatch": "Trend",
+            "formatter": 10,
+            "formatOptions": {
+              "palette": "magenta"
+            }
+          },
+          "showBorder": false
+        }
+      },
+      "customWidth": "30",
+      "name": "query - 10"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\r\n| where EventType in~ ('admin_login', 'admin_login_error')\r\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventType =~ 'admin_login_error', '❌', '✅'))\r\n",
+        "size": 3,
+        "title": "Admin login status",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "34",
+      "name": "query - 1"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\r\n| where EventType =~ 'authentication'\r\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventResult =~ 'success', '✅', '❌'))",
+        "size": 0,
+        "title": "User authentication status",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "rowLimit": 50,
+          "filter": true
+        }
+      },
+      "customWidth": "40",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "33"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoDuo\n| where EventType =~ 'user_create'\n| project SrcUserName",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "gridSettings": {
+          "filter": true
+        },
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "Title"
+          },
+          "subtitleContent": {
+            "columnMatch": "SrcIpAddr",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "purpleDark"
+            }
+          },
+          "showBorder": false,
+          "rowLimit": 25
+        },
+        "textSettings": {
+          "style": "bignumber"
+        }
+      },
+      "customWidth": "15",
+      "name": "query - 10"
+    }
+  ],
+  "fromTemplateId": "sentinel-CiscoDuoWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}