Update New TABL Items.yaml

Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml

@@ -1 +1,29 @@
-
+id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
+name: New TABL Items
+description: |
+  Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+- DefenseEvasion
+relevantTechniques:
+  - T1484
+query: |
+  CloudAppEvents
+	| where ActionType == "New-TenantAllowBlockListItems"
+  | extend Parameters = RawEventData.Parameters
+  | mv-apply Parameters on ( 
+    extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value)
+    | summarize Parameters=make_bag(Out)
+    )
+  | extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes
+  | extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy))
+  | project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId
+  | order by Timestamp desc
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountUpn