several fixes to templates

2020-11-05 11:17:29 +02:00 · 2020-11-05 11:17:29 +02:00 · d3bea16104
--- a/Detections/AzureActivity/Creation_of_Expensive_Computes_in
+++ b/Detections/AzureActivity/Creation_of_Expensive_Computes_in
@ -6,6 +6,7 @@ description: |
  or use it for cryptomining purposes.
  For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes 
  Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'
+severity: Low
 requiredDataConnectors:
  - connectorId: AzureActivity
    dataTypes:
--- a/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml
+++ b/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml
@ -5,6 +5,7 @@ description: |
  Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.
  To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)
  Finally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.'
+severity: Medium
 requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
--- a/Detections/MultipleDataSources/STRONTIUMOct292020IOCs.yaml
+++ b/Detections/MultipleDataSources/STRONTIUMOct292020IOCs.yaml
@ -8,7 +8,7 @@ requiredDataConnectors:
    dataTypes:
      - OfficeActivity
 queryFrequency: 7d
-queryPeriod: 30d
+queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
--- a/Detections/OfficeActivity/ExternalUserAddedRemovedInTeams.yaml
+++ b/Detections/OfficeActivity/ExternalUserAddedRemovedInTeams.yaml
@ -1,4 +1,4 @@
-id: e9ceg568-6257-4dab-9a48-4793727y46a2
+id: bff093b2-500e-4ae5-bb49-a5b1423cbd5b
 name: External user added and removed in short timeframe
 description: |
  'This detection flags the occurances of external user accounts that are added to a Team and then removed within
--- a/Detections/OfficeActivity/MultipleTeamsDeletes.yaml
+++ b/Detections/OfficeActivity/MultipleTeamsDeletes.yaml
@ -5,9 +5,9 @@ description: |
  This data is a part of Office 365 Connector in Azure Sentinel.'
 severity: Low
 requiredDataConnectors:
- connectorId: Office365
-dataTypes:
- OfficeActivity (Teams)
+  - connectorId: Office365
+    dataTypes:
+      - OfficeActivity (Teams)
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt
--- a/Detections/OfficeActivity/StrontiumCredHarvesting.yaml
+++ b/Detections/OfficeActivity/StrontiumCredHarvesting.yaml
@ -9,7 +9,7 @@ requiredDataConnectors:
    dataTypes:
      - OfficeActivity
 queryFrequency: 7d
-queryPeriod: 30d
+queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics: