From d8321c70a5c7320758fe34b256a923930cf830f3 Mon Sep 17 00:00:00 2001 From: Igal Date: Wed, 13 May 2020 15:07:12 +0300 Subject: [PATCH] Documentation links should not include locale - fix and add validations (#678) * Documentation links should not include locale - fix and add validations --- .azure-pipelines/documentsLinkValidator.yaml | 11 ++++++++ .script/ReadMe.md | 6 ++--- .script/documentsLinkValidator.ts | 27 +++++++++++++++++++ .../documentsLinkValidatorTest/badlink.md | 3 +++ .../documentsLinkValidator.Test.ts | 24 +++++++++++++++++ .../documentsLinkValidatorTest/nodoclinks.md | 4 +++ .../documentsLinkValidatorTest/validlink.md | 3 +++ DataConnectors/ReadMe.md | 6 ++--- .../AuditLogs/RareApplicationConsent.yaml | 2 +- .../office_policytampering.yaml | 2 +- .../GroupCreatedAddedToPrivlegeGroup_1h.yaml | 2 +- .../UserAccountAddedToPrivlegeGroup_1h.yaml | 2 +- .../SigninLogs/BypassCondAccessRule.yaml | 6 ++--- ...dAccountSigninsAcrossManyApplications.yaml | 2 +- .../SigninLogs/DistribPassCrackAttempt.yaml | 2 +- .../SigninLogs/FailedLogonToAzurePortal.yaml | 2 +- ...SigninAttemptsByIPviaDisabledAccounts.yaml | 2 +- .../SigninBruteForce-AzurePortal.yaml | 2 +- .../SigninLogs/SigninPasswordSpray.yaml | 2 +- .../ConsentToApplicationDiscovery.yaml | 2 +- .../AzureResourceAssignedPublicIP.yaml | 4 +-- ...reResourceCreationWithNetworkActivity.yaml | 4 +-- ...ReservedFileNamesOnOfficeFileServices.yaml | 2 +- ...ReservedFileNamesOnOfficeFileServices.yaml | 2 +- .../OfficeActivity/nonowner_MailboxLogin.yaml | 2 +- ...powershell_or_nonbrowser_MailboxLogin.yaml | 2 +- .../CustomUserList_FailedLogons.yaml | 6 ++--- .../GroupAddedToPrivlegeGroup.yaml | 2 +- .../UserAccountAddedToPrivlegeGroup.yaml | 2 +- azure-pipelines.yml | 1 + package-lock.json | 18 +++++++++++++ package.json | 2 +- 32 files changed, 125 insertions(+), 34 deletions(-) create mode 100644 .azure-pipelines/documentsLinkValidator.yaml create mode 100644 .script/documentsLinkValidator.ts create mode 100644 .script/tests/documentsLinkValidatorTest/badlink.md create mode 100644 .script/tests/documentsLinkValidatorTest/documentsLinkValidator.Test.ts create mode 100644 .script/tests/documentsLinkValidatorTest/nodoclinks.md create mode 100644 .script/tests/documentsLinkValidatorTest/validlink.md diff --git a/.azure-pipelines/documentsLinkValidator.yaml b/.azure-pipelines/documentsLinkValidator.yaml new file mode 100644 index 0000000000..2a36e61d93 --- /dev/null +++ b/.azure-pipelines/documentsLinkValidator.yaml @@ -0,0 +1,11 @@ +jobs: +- job: "DocumentsLinkValidation" + pool: + vmImage: 'Ubuntu 16.04' + steps: + - task: Npm@1 + displayName: 'npm install' + inputs: + verbose: false + - script: 'npm run tsc && node .script/documentsLinkValidator.js' + displayName: 'Documents links locale validation' \ No newline at end of file diff --git a/.script/ReadMe.md b/.script/ReadMe.md index 207f77b636..19227dc8b0 100644 --- a/.script/ReadMe.md +++ b/.script/ReadMe.md @@ -4,7 +4,7 @@ At the time of submitting your Pull Request, automatic GitHub validations using ## What is Azure Pipelines -[Azure Pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started/what-is-azure-pipelines?view=azure-devops) is a cloud service that you can use to automatically build and test your code project and make it available to other users. It works with just about any language or project type. +[Azure Pipelines](https://docs.microsoft.com/azure/devops/pipelines/get-started/what-is-azure-pipelines?view=azure-devops) is a cloud service that you can use to automatically build and test your code project and make it available to other users. It works with just about any language or project type. ## How to add new PR validation: @@ -18,7 +18,7 @@ The libraries are defined in package.json 3. Create an Azure Pipeline job for the new validation. Add new yaml file under [.azure-pipelines](https://github.com/Azure/Azure-Sentinel/blob/master/.azure-pipelines/) folder, see example in [yamlFileValidator.yaml](https://github.com/Azure/Azure-Sentinel/blob/master/.azure-pipelines/yamlFileValidator.yaml) file (note - the script code should be added on another file for clearer code, see in step #5). * Add scripts those are relevant to the specific folder under one yaml file in the same job. The validation infrastructure and the examples are in TypeScript, but you can use other languages if you prefer - * Azure Pipelines work with many languages such as Python, Java,JavaScript, PHP, Ruby, C#, C++, and Go. Refer to [Azure Pipelines documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/?view=azure-devops) for further information on this. + * Azure Pipelines work with many languages such as Python, Java,JavaScript, PHP, Ruby, C#, C++, and Go. Refer to [Azure Pipelines documentation](https://docs.microsoft.com/azure/devops/pipelines/?view=azure-devops) for further information on this. 4. Add the new job to [azure-pipelines.yml](https://github.com/Azure/Azure-Sentinel/blob/master/azure-pipelines.yml) file as a new template under jobs property @@ -30,7 +30,7 @@ Add new yaml file under [.azure-pipelines](https://github.com/Azure/Azure-Sentin ### How to add scipt validation **Note**: All script logs are public and display in DevOps pipeline. -By default, the logs color is white. In case you want another color you can use [logging commands](https://docs.microsoft.com/en-us/azure/devops/pipelines/scripts/logging-commands?view=azure-devops&tabs=bash) +By default, the logs color is white. In case you want another color you can use [logging commands](https://docs.microsoft.com/azure/devops/pipelines/scripts/logging-commands?view=azure-devops&tabs=bash) 1. Create script file under [.script](https://github.com/Azure/Azure-Sentinel/tree/master/.script) folder diff --git a/.script/documentsLinkValidator.ts b/.script/documentsLinkValidator.ts new file mode 100644 index 0000000000..14c1fe6b28 --- /dev/null +++ b/.script/documentsLinkValidator.ts @@ -0,0 +1,27 @@ +import { runCheckOverChangedFiles } from "./utils/changedFilesValidator"; +import { ExitCode } from "./utils/exitCode"; +import fs from "fs"; +import * as logger from "./utils/logger"; + +export async function IsFileContainsLinkWithLocale(filePath: string): Promise { + const content = fs.readFileSync(filePath, "utf8"); + if (/(https:\/\/docs.microsoft.com|https:\/\/azure.microsoft.com)(\/[a-z]{2}-[a-z]{2})/i.test(content)) { + throw new Error(); + } + return ExitCode.SUCCESS; +} + +let fileKinds = ["Added", "Modified"]; +let CheckOptions = { + onCheckFile: (filePath: string) => { + return IsFileContainsLinkWithLocale(filePath); + }, + onExecError: async (e: any, filePath: string) => { + console.log(`Documentation links should not include locale: ${filePath}, ${e.message}`); + }, + onFinalFailed: async () => { + logger.logError("An error occurred, please open an issue"); + } +}; + +runCheckOverChangedFiles(CheckOptions, fileKinds); diff --git a/.script/tests/documentsLinkValidatorTest/badlink.md b/.script/tests/documentsLinkValidatorTest/badlink.md new file mode 100644 index 0000000000..625241b26c --- /dev/null +++ b/.script/tests/documentsLinkValidatorTest/badlink.md @@ -0,0 +1,3 @@ +# This is another dummy file + +This time with bad link to [docs](https://docs.microsoft.com/en-us/windows/) \ No newline at end of file diff --git a/.script/tests/documentsLinkValidatorTest/documentsLinkValidator.Test.ts b/.script/tests/documentsLinkValidatorTest/documentsLinkValidator.Test.ts new file mode 100644 index 0000000000..975ba3ebaa --- /dev/null +++ b/.script/tests/documentsLinkValidatorTest/documentsLinkValidator.Test.ts @@ -0,0 +1,24 @@ +import { IsFileContainsLinkWithLocale } from "../../documentsLinkValidator"; +import { ExitCode } from "../../utils/exitCode"; +import chai from "chai"; +import { expect } from "chai"; +import chaiAsPromised from "chai-as-promised"; + +chai.use(chaiAsPromised); + +describe("documentsLinkValidator", () => { + it("should pass when no links", async () => { + let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/nodoclinks.md"); + expect(result).to.equal(ExitCode.SUCCESS); + }); + + it("should pass when link is valid", async () => { + let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/validlink.md"); + expect(result).to.equal(ExitCode.SUCCESS); + }); + + it("should fail when link contains locale", async () => { + let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/badlink.md"); + expect(result).eventually.rejectedWith(Error) + }); +}); diff --git a/.script/tests/documentsLinkValidatorTest/nodoclinks.md b/.script/tests/documentsLinkValidatorTest/nodoclinks.md new file mode 100644 index 0000000000..dd2f56711c --- /dev/null +++ b/.script/tests/documentsLinkValidatorTest/nodoclinks.md @@ -0,0 +1,4 @@ +# This is just a dummy file + +it has nothing here +[maybe some link](https://www.microsoft.com) which is harmless \ No newline at end of file diff --git a/.script/tests/documentsLinkValidatorTest/validlink.md b/.script/tests/documentsLinkValidatorTest/validlink.md new file mode 100644 index 0000000000..49994261f6 --- /dev/null +++ b/.script/tests/documentsLinkValidatorTest/validlink.md @@ -0,0 +1,3 @@ +# This is another dummy file + +This time with valid link to [docs](https://docs.microsoft.com/windows/) \ No newline at end of file diff --git a/DataConnectors/ReadMe.md b/DataConnectors/ReadMe.md index c0ebb0a267..3b78ff160d 100644 --- a/DataConnectors/ReadMe.md +++ b/DataConnectors/ReadMe.md @@ -37,7 +37,7 @@ Once you have decided on the type of data connector you plan to support, set the ### REST API Connectors -1. Use the [Azure Monitor Data Collector API](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api) to send data to Azure Log Analytics. [This blog](https://zimmergren.net/building-custom-data-collectors-for-azure-log-analytics/) covers step by step instructions with screenshots to do so. If on prem, open port 443 (HTTPS/TLS) on your environment to talk to Azure Sentinel. +1. Use the [Azure Monitor Data Collector API](https://docs.microsoft.com/azure/azure-monitor/platform/data-collector-api) to send data to Azure Log Analytics. [This blog](https://zimmergren.net/building-custom-data-collectors-for-azure-log-analytics/) covers step by step instructions with screenshots to do so. If on prem, open port 443 (HTTPS/TLS) on your environment to talk to Azure Sentinel. 2. Ensure the schema used for structuring the data in Log Analytics is locked. Any changes to the schema after the data connector is published will have a compatibility impact, hence need to have a new name for the connector data type. 3. Design a configuration mechanism in your product experience via product settings or via your product website, where your customers can go and enter the following information to send their logs into Log Analytics for Azure Sentinel. 1. [**Required**] Azure Sentinel workspace ID @@ -125,9 +125,9 @@ To use TLS communication between the security solution and the Syslog machine, y ### Syslog Connector -**Note:** If your product supports CEF, the connection is more complete and you should choose CEF and follow the instructions in [Connecting data from CEF](https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format) and data connector building steps detailed in the CEF connector section. +**Note:** If your product supports CEF, the connection is more complete and you should choose CEF and follow the instructions in [Connecting data from CEF](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) and data connector building steps detailed in the CEF connector section. -1. Follow the steps outlined in the [Connecting data from Syslog](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) to use the Azure Sentinel syslog connector to connect your product. +1. Follow the steps outlined in the [Connecting data from Syslog](https://docs.microsoft.com/azure/sentinel/connect-syslog) to use the Azure Sentinel syslog connector to connect your product. 2. Set your security solution to send Syslog messages to the proxy machine. This varies from product to product and follow the process for your product. 3. Outline specific steps custom for sending your product logs along with link to your (partner) product documentation on how customers should configure their agent to send Syslog logs from the respective product into Azure Sentinel. 4. Design and validate a few key queries that lands the value of the data stream using Kusto Query Language. Share these as sample queries in the data connector. diff --git a/Detections/AuditLogs/RareApplicationConsent.yaml b/Detections/AuditLogs/RareApplicationConsent.yaml index 6e81f1a566..cd2bf0e273 100644 --- a/Detections/AuditLogs/RareApplicationConsent.yaml +++ b/Detections/AuditLogs/RareApplicationConsent.yaml @@ -5,7 +5,7 @@ description: | This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth - For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities.' + For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Detections/OfficeActivity/office_policytampering.yaml b/Detections/OfficeActivity/office_policytampering.yaml index 347ae4e741..fdf2202cee 100644 --- a/Detections/OfficeActivity/office_policytampering.yaml +++ b/Detections/OfficeActivity/office_policytampering.yaml @@ -3,7 +3,7 @@ name: Office policy tampering description: | 'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. - References: https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' + References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' severity: Medium requiredDataConnectors: - connectorId: Office365 diff --git a/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml b/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml index f122b7bb22..9ffd5752d1 100644 --- a/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml +++ b/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml @@ -3,7 +3,7 @@ name: Group added to built in domain local or global group description: | 'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. - References: For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups.' + References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' severity: Medium requiredDataConnectors: - connectorId: SecurityEvents diff --git a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml index a4fddfd948..86c6be2aec 100644 --- a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml +++ b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml @@ -21,7 +21,7 @@ relevantTechniques: query: | let timeframe = 1d; - // For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups + // For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$"; let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$"; SecurityEvent diff --git a/Detections/SigninLogs/BypassCondAccessRule.yaml b/Detections/SigninLogs/BypassCondAccessRule.yaml index ef3e574556..085660966a 100644 --- a/Detections/SigninLogs/BypassCondAccessRule.yaml +++ b/Detections/SigninLogs/BypassCondAccessRule.yaml @@ -5,9 +5,9 @@ description: | The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). References: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes + https://docs.microsoft.com/azure/active-directory/conditional-access/overview + https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins + https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes ConditionalAccessStatus == 0 // Success ConditionalAccessStatus == 1 // Failure ConditionalAccessStatus == 2 // Not Applied diff --git a/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml b/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml index 8fd028c4cd..8c0bfd558f 100644 --- a/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml +++ b/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml @@ -3,7 +3,7 @@ name: Attempts to sign in to disabled accounts description: | 'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50057 - User account is disabled. The account has been disabled by an administrator.' severity: Medium requiredDataConnectors: diff --git a/Detections/SigninLogs/DistribPassCrackAttempt.yaml b/Detections/SigninLogs/DistribPassCrackAttempt.yaml index f3dc20f1b1..2f2e76bd08 100644 --- a/Detections/SigninLogs/DistribPassCrackAttempt.yaml +++ b/Detections/SigninLogs/DistribPassCrackAttempt.yaml @@ -3,7 +3,7 @@ name: Distributed Password cracking attempts in AzureAD description: | 'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password. 50055 Invalid password, entered expired password. 50056 Invalid or null password - Password does not exist in store for this user. diff --git a/Detections/SigninLogs/FailedLogonToAzurePortal.yaml b/Detections/SigninLogs/FailedLogonToAzurePortal.yaml index 416df52187..e90a7c5d21 100644 --- a/Detections/SigninLogs/FailedLogonToAzurePortal.yaml +++ b/Detections/SigninLogs/FailedLogonToAzurePortal.yaml @@ -4,7 +4,7 @@ description: | 'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 0 - successful logon 50125 - Sign-in was interrupted due to a password reset or password registration entry. 50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.' diff --git a/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml b/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml index 13f236ab3a..bb9091fb5c 100644 --- a/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml +++ b/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml @@ -2,7 +2,7 @@ name: Sign-ins from IPs that attempt sign-ins to disabled accounts description: | 'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50057 - User account is disabled. The account has been disabled by an administrator.' severity: Medium requiredDataConnectors: diff --git a/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml b/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml index 95d09a8364..b3d1f5395f 100644 --- a/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml +++ b/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml @@ -5,7 +5,7 @@ description: | and by a successful authentication within a given time window. (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) Default Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes. - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.' + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Detections/SigninLogs/SigninPasswordSpray.yaml b/Detections/SigninLogs/SigninPasswordSpray.yaml index 2322ffbe99..8c13570581 100644 --- a/Detections/SigninLogs/SigninPasswordSpray.yaml +++ b/Detections/SigninLogs/SigninPasswordSpray.yaml @@ -7,7 +7,7 @@ description: | This can be an indicator that an attack was successful. The default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days Note: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity. - References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.' + References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml b/Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml index 1d79d544da..99fdb8504a 100644 --- a/Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml +++ b/Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml @@ -8,7 +8,7 @@ description: | from the AuditLogs based on CorrleationId from the same account that performed "Consent to application". For further information on AuditLogs please see - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities + https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities This may help detect the Oauth2 attack that can be initiated by this publicly available tool https://github.com/fireeye/PwnAuth' requiredDataConnectors: diff --git a/Hunting Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml b/Hunting Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml index 14c0b75804..74451e9ae6 100644 --- a/Hunting Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml +++ b/Hunting Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml @@ -3,8 +3,8 @@ name: Azure Resources assigned Public IP Addresses description: | 'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-networking-analytics - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema' + https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics + https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema' requiredDataConnectors: - connectorId: AzureActivity dataTypes: diff --git a/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml b/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml index 3a6d47417e..fb24c8e13e 100644 --- a/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml +++ b/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml @@ -9,8 +9,8 @@ description: | currency mining, command and control, exfiltration, distributed attacks and propagation of malware, among others. Verify that this resource creation is expected. Resources: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-networking-analytics - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema' + https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics + https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema' requiredDataConnectors: - connectorId: AzureActivity dataTypes: diff --git a/Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml b/Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml index 99ac4463d6..9375b1d773 100644 --- a/Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml +++ b/Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml @@ -6,7 +6,7 @@ description: | 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions. Additionally, identifies when a given user is uploading these files to another users workspace. This may be indication of a staging location for malware or other malicious activity. - References: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file' + References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file' requiredDataConnectors: - connectorId: Office365 dataTypes: diff --git a/Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml b/Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml index 0d61245bfd..bfc907e23f 100644 --- a/Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml +++ b/Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml @@ -6,7 +6,7 @@ description: | 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions. Additionally, identifies when a given user is uploading these files to another users workspace. This may be indication of a staging location for malware or other malicious activity. - References: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file' + References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file' requiredDataConnectors: - connectorId: Office365 dataTypes: diff --git a/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml b/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml index bd371af039..6321222b22 100644 --- a/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml +++ b/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml @@ -5,7 +5,7 @@ description: | The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin and delegate permissions to access other user's inbox. If your organization has valid admin, delegate access given to users, you can whitelist those and investigate other results. - References: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#logontype' + References: https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-schema#logontype' requiredDataConnectors: - connectorId: Office365 dataTypes: diff --git a/Hunting Queries/OfficeActivity/powershell_or_nonbrowser_MailboxLogin.yaml b/Hunting Queries/OfficeActivity/powershell_or_nonbrowser_MailboxLogin.yaml index 5d31dbe8c3..de2c55704b 100644 --- a/Hunting Queries/OfficeActivity/powershell_or_nonbrowser_MailboxLogin.yaml +++ b/Hunting Queries/OfficeActivity/powershell_or_nonbrowser_MailboxLogin.yaml @@ -5,7 +5,7 @@ description: | By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell. Whitelist any benign scheduled activities using exchange powershell if applicable in your environment. - References: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps' + References: https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps' requiredDataConnectors: - connectorId: Office365 dataTypes: diff --git a/Hunting Queries/SecurityEvent/CustomUserList_FailedLogons.yaml b/Hunting Queries/SecurityEvent/CustomUserList_FailedLogons.yaml index 9dcce04d78..416327e11f 100644 --- a/Hunting Queries/SecurityEvent/CustomUserList_FailedLogons.yaml +++ b/Hunting Queries/SecurityEvent/CustomUserList_FailedLogons.yaml @@ -2,7 +2,7 @@ id: 892cd37e-f9e1-49c3-b0b2-d74f52ac7b71 name: VIP account more than 6 failed logons in 10 description: | 'VIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below - NTSTATUS codes - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55' + NTSTATUS codes - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55' requiredDataConnectors: - connectorId: SecurityEvents dataTypes: @@ -48,7 +48,7 @@ query: | Status =~ "0xC0000224", "STATUS_PASSWORD_MUST_CHANGE", Status =~ "0xC0000234", "STATUS_ACCOUNT_LOCKED_OUT", Status =~ "0xC00002EE", "STATUS_UNFINISHED_CONTEXT_DELETED", - "See - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" + "See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" ) | extend SubStatusDesc = case( SubStatus =~ "0x80090325", "SEC_E_UNTRUSTED_ROOT", @@ -77,7 +77,7 @@ query: | SubStatus =~ "0xC0000387", "STATUS_SMARTCARD_IO_ERROR", SubStatus =~ "0xC0000388", "STATUS_DOWNGRADE_DETECTED", SubStatus =~ "0xC0000389", "STATUS_SMARTCARD_CERT_REVOKED", - "See - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" + "See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" ) | project StartTimeUtc, EndTimeUtc, FailedVIPLogons, EventID, Activity, WorkstationName, Account, TargetAccount, TargetUserName, TargetDomainName, LogonType, LogonTypeName, LogonProcessName, Status, StatusDesc, SubStatus, SubStatusDesc | extend timestamp = StartTimeUtc, AccountCustomEntity = Account diff --git a/Hunting Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml b/Hunting Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml index fa45fe6e02..e288e9be8f 100644 --- a/Hunting Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml +++ b/Hunting Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml @@ -16,7 +16,7 @@ relevantTechniques: query: | let timeframe = 7d; - // For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups + // For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$"; let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$"; let GroupAddition = SecurityEvent diff --git a/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml b/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml index 7e4abe6712..4a0c513603 100644 --- a/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml +++ b/Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml @@ -16,7 +16,7 @@ relevantTechniques: query: | let timeframe = 10d; - // For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups + // For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$"; let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$"; SecurityEvent diff --git a/azure-pipelines.yml b/azure-pipelines.yml index e385a47a0c..96c0b8da0f 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -12,3 +12,4 @@ jobs: - template: .azure-pipelines/detectionsValidations.yaml - template: .azure-pipelines/yamlFileValidator.yaml - template: .azure-pipelines/jsonFileValidator.yaml +- template: .azure-pipelines/documentsLinkValidator.yaml diff --git a/package-lock.json b/package-lock.json index ac8b468eb4..f39da60772 100644 --- a/package-lock.json +++ b/package-lock.json @@ -956,6 +956,24 @@ "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=" }, + "simple-git": { + "version": "1.132.0", + "resolved": "https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz", + "integrity": "sha512-xauHm1YqCTom1sC9eOjfq3/9RKiUA9iPnxBbrY2DdL8l4ADMu0jjM5l5lphQP5YWNqAL2aXC/OeuQ76vHtW5fg==", + "requires": { + "debug": "^4.0.1" + }, + "dependencies": { + "debug": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", + "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", + "requires": { + "ms": "^2.1.1" + } + } + } + }, "source-map": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", diff --git a/package.json b/package.json index 61a39994d4..da6fcaef4c 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "url": "git+https://github.com/Azure-Sentinel.git" }, "author": "", - "license": "", + "license": "MIT", "bugs": { "url": "https://github.com/Azure/Azure-Sentinel/issues" },