renamed time fields to Aux

2020-03-02 10:35:46 +02:00 · 2020-03-02 10:35:46 +02:00 · da0c66c2e2
--- a/Queries/InputEntity_IP/IpAddress_AccountLogons.yaml
+++ b/Queries/InputEntity_IP/IpAddress_AccountLogons.yaml
@ -1,4 +1,4 @@
-Id: 588f5d9f-3380-4eff-9983-e61d62fdd172
+Id: 588f5d9f-3380-4eff-9983-e61d62fdd172
 DisplayName: Office activity accounts with this IP
 Description: Summary of accounts for a given ClientIP on Office Activity data (set time range to +-12h when running the query)
 InputEntityType: Ip
@ -19,12 +19,12 @@ query: |

  let GetAllAccountByIP = (v_IP_Address:string){
  OfficeActivity 
-  | where ClientIP contains v_IP_Address
+  | where ClientIP == v_IP_Address
  | extend info = pack('ClientIP', ClientIP, 'UserType', UserType, 'Operation', Operation, 'OfficeWorkload', OfficeWorkload, 'ResultStatus', ResultStatus)
-  | summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by UserId
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, UserId, count_, Account_Aux_info
+  | summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId
+  | project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info
  | project-rename Account_UnstructuredName=UserId
-  | top 10 by count_ desc nulls last
+  | top 10 by Account_Aux_Count desc nulls last
  };
  // change <Address> value below
  GetAllAccountByIP('<Address>')
--- a/Queries/InputEntity_IP/LeastPrevClientIP-DNSNameQueryToIP.yaml
+++ b/Queries/InputEntity_IP/LeastPrevClientIP-DNSNameQueryToIP.yaml
@ -18,12 +18,11 @@ query: |
  let GetAllIPByClientIP = (v_IP_Address:string){
  DnsEvents
  | where SubType == 'LookupQuery'
-  | where IPAddresses contains v_IP_Address
-  | summarize min(TimeGenerated), max(TimeGenerated), makeset(Name), count() by ClientIP, IPAddresses
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, ClientIP, DomainNames = set_Name, IPAddresses, count_
-  | top 10 by count_ asc nulls last
-  | project StartTimeUtc, EndTimeUtc, ClientIP, IPAddresses, DomainNames
-  | project-rename IP_Address=ClientIP
+  | where IPAddresses has v_IP_Address
+  | extend IP_Aux_IPAddresses = split(IPAddresses,','), IP_Address=ClientIP
+  | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses
+  | project-away IPAddresses
+  | top 10 by IP_Aux_Count asc nulls last
  };
  // change <Address> value below
  GetAllIPByClientIP('<Address>')
--- a/Queries/InputEntity_IP/LeastPrevUsersByIPAddress.yaml
+++ b/Queries/InputEntity_IP/LeastPrevUsersByIPAddress.yaml
@ -27,7 +27,7 @@ query: |
  | extend info = pack('AppDisplayName', AppDisplayName, 'ClientAppUsed', ClientAppUsed, 'Browser', tostring(Browser), 'IPAddress', IPAddress, 'ResultType', ResultType, 'ResultDescription', ResultDescription, 'Location', Location, 'State', State, 'City', City, 'StatusCode', StatusCode, 'StatusDetails', StatusDetails)
  | summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId
  | top 10 by count_ asc nulls last 
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, UserId, Account_Aux_info
+  | project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, UserId, Account_Aux_info
  | project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_AadUserId=UserId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS
  };
  // change <Address> value below
--- a/Queries/InputEntity_IP/MostPrevClientIP-DNSNameQueryToIP.yaml
+++ b/Queries/InputEntity_IP/MostPrevClientIP-DNSNameQueryToIP.yaml
@ -18,12 +18,11 @@ query: |
  let GetAllIPByClientIP = (v_IP_Address:string){
  DnsEvents
  | where SubType == 'LookupQuery'
-  | where IPAddresses contains v_IP_Address
-  | summarize min(TimeGenerated), max(TimeGenerated), makeset(Name), count() by ClientIP, IPAddresses
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, ClientIP, DomainNames = set_Name, IPAddresses, count_ 
-  | top 10 by count_ desc nulls last
-  | project StartTimeUtc, EndTimeUtc, ClientIP, IPAddresses, DomainNames
-  | project-rename IP_Address=ClientIP
+  | where IPAddresses has v_IP_Address
+  | extend IP_Aux_IPAddresses = split(IPAddresses,','), IP_Address=ClientIP
+  | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses
+  | project-away IPAddresses
+  | top 10 by IP_Aux_Count desc nulls last
  };
  // change <Address> value below
-  GetAllIPByClientIP('<Address>')
+  GetAllIPByClientIP('<Address>')
--- a/Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml
+++ b/Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml
@ -24,7 +24,7 @@ query: |
  | extend info = pack('HostIP', HostIP, 'ProcessName', ProcessName, 'SeverityLevel', SeverityLevel)
  | summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer
  | top 10 by count_ desc nulls last 
-  | project StartTimeUtc = min_EventTime, EndTimeUtc = max_EventTime, Computer, Host_Aux_info
+  | project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info
  | project-rename Host_UnstructuredName=Computer
  };
  // change <Address> value below
--- a/Queries/InputEntity_Process/LeastPrevLxHosts_ByProcess.yaml
+++ b/Queries/InputEntity_Process/LeastPrevLxHosts_ByProcess.yaml
@ -27,7 +27,7 @@ query: |
  | extend info = pack('HostName', HostName, 'HostIP', HostIP, 'ProcessName', ProcessName, 'SyslogMessage', SyslogMessage)
  | summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer
  | top 10 by count_ asc nulls last 
-  | project min_EventTime, max_EventTime, Computer, Host_Aux_info
+  | project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info
  | project-rename Host_UnstructuredName=Computer
  };
  // change <CommandLine> value below
--- a/Queries/InputEntity_Process/Process2Host_VMConfigChange.txt
+++ b/Queries/InputEntity_Process/Process2Host_VMConfigChange.txt
@ -9,38 +9,52 @@
 // DataSource: ConfigurationChange
 // Tactics: #Persistence, #Execution

-let ConfigChange = (v_Process_ImageFile_Name:string, v_Service_FileName:string,  ) {ConfigurationChange | where TimeGenerated >= ago(1d)
-| where ConfigChangeType != "Software" 
-| extend Process = case(ConfigChangeType == "Registry" and ValueData contains ".exe", ValueData,
-ConfigChangeType == "WindowsServices", SvcPath,
-ConfigChangeType == "Files" and (FileSystemPath contains ".exe" or FileSystemPath contains ".bat" or FileSystemPath contains ".cmd"), FileSystemPath,
-ConfigChangeType == "Daemons", SvcPath,
-""
- )
-// Removing Common processes to improve query performance
-| where Process !contains ":\\Windows\\System32\\svchost.exe" and Process !contains ":\\Windows\\system32\\wbem\\WmiApSrv.exe" 
-and Process !contains ":\\Windows\\CCM\\CcmExec.exe" and Process !contains "Windows Defender Antivirus" 
-and Process !contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\"
-| where Process contains v_Process_ImageFile_Name or v_Service_FileName
-| parse FileContentChecksum with * "Hash=" Hash " " *
-| parse PreviousFileContentChecksum with * "Hash=" Hash " " *
-| extend Changes = case( 
-ConfigChangeType == "Registry" and ChangeCategory == "Modified", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "ValueData", ValueData, "PreviousValueData", PreviousValueData),
-ConfigChangeType == "Registry" and ChangeCategory == "Added", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "ValueData", ValueData),
-ConfigChangeType == "Registry" and ChangeCategory == "Removed", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "PreviousValueData", PreviousValueData),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "Path", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcPreviousPath", SvcPreviousPath),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "Runlevels", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcRunlevels", SvcRunlevels,"SvcPreviousRunlevels", SvcPreviousRunlevels),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "StartupType", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcStartupType", SvcStartupType, "SvcPreviousStartupType", SvcPreviousStartupType),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "State", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcPreviousState", SvcPreviousState),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "State StartupType", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcPreviousState", SvcPreviousState, "SvcStartupType", SvcStartupType, "SvcPreviousStartupType", SvcPreviousStartupType),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Added", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcStartupType", SvcStartupType),
-ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Removed", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcName", SvcName, "SvcPreviousPath", SvcPreviousPath, "SvcPreviousState", SvcPreviousState, "SvcPreviousStartupType", SvcPreviousStartupType),
-ConfigChangeType == "Files" and ChangeCategory == "Added", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "DateCreated", DateCreated, "DateModified", DateModified, "Hash", Hash),
-ConfigChangeType == "Files" and ChangeCategory == "Removed", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "DateCreated", PreviousDateCreated, "DateModified", PreviousDateModified, "Hash", Hash),
-ConfigChangeType == "Files" and ChangeCategory == "Modified", pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "FieldsChanged", FieldsChanged, "DateCreated", PreviousDateCreated, "DateModified", PreviousDateModified, "Hash", Hash),
-"")
-| extend Host_HostName = tostring(split(Computer, ".")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.')
-| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Process_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain
-| top 10 by StartTimeUtc desc
+let ConfigChange = (v_Process_ImageFile_Name:string ) 
+	{ConfigurationChange
+	| where ConfigChangeType != "Software" 
+	| extend Process = case(ConfigChangeType == "Registry" and ValueData contains ".exe", ValueData,
+							ConfigChangeType == "WindowsServices", SvcPath,
+							ConfigChangeType == "Files" and (FileSystemPath contains ".exe" or FileSystemPath contains ".bat" or FileSystemPath contains ".cmd"), FileSystemPath,
+							ConfigChangeType == "Daemons", SvcPath,
+							""
+							)
+	// Removing Common processes to improve query performance
+	| where Process !contains ":\\Windows\\System32\\svchost.exe" and Process !contains ":\\Windows\\system32\\wbem\\WmiApSrv.exe" 
+		and Process !contains ":\\Windows\\CCM\\CcmExec.exe" and Process !contains "Windows Defender Antivirus" 
+		and Process !contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\"
+	| where iff(v_Process_ImageFile_Name == "", false, Process contains v_Process_ImageFile_Name) 
+	| parse FileContentChecksum with * "Hash=" Hash " " *
+	| parse PreviousFileContentChecksum with * "Hash=" Hash " " *
+	| extend Changes = case( 
+	ConfigChangeType == "Registry" and ChangeCategory == "Modified", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "ValueData", ValueData, "PreviousValueData", PreviousValueData),
+	ConfigChangeType == "Registry" and ChangeCategory == "Added", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "ValueData", ValueData),
+	ConfigChangeType == "Registry" and ChangeCategory == "Removed", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "RegistryKey" , RegistryKey, "ValueName", ValueName, "PreviousValueData", PreviousValueData),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "Path", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcPreviousPath", SvcPreviousPath),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "Runlevels", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcRunlevels", SvcRunlevels,"SvcPreviousRunlevels", SvcPreviousRunlevels),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "StartupType", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcStartupType", SvcStartupType, "SvcPreviousStartupType", SvcPreviousStartupType),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "State", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcPreviousState", SvcPreviousState),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Modified" and SvcChangeType == "State StartupType", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcChangeType", SvcChangeType, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcPreviousState", SvcPreviousState, "SvcStartupType", SvcStartupType, "SvcPreviousStartupType", SvcPreviousStartupType),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Added", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcName", SvcName, "SvcPath", SvcPath, "SvcState", SvcState, "SvcStartupType", SvcStartupType),
+	ConfigChangeType in ("WindowsServices","Daemons") and ChangeCategory == "Removed", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "SvcName", SvcName, "SvcPreviousPath", SvcPreviousPath, "SvcPreviousState", SvcPreviousState, "SvcPreviousStartupType", SvcPreviousStartupType),
+	ConfigChangeType == "Files" and ChangeCategory == "Added", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "DateCreated", DateCreated, "DateModified", DateModified, "Hash", Hash),
+	ConfigChangeType == "Files" and ChangeCategory == "Removed", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "DateCreated", PreviousDateCreated, "DateModified", PreviousDateModified, "Hash", Hash),
+	ConfigChangeType == "Files" and ChangeCategory == "Modified", 
+		pack("ConfigChangeType", ConfigChangeType, "ChangeCategory", ChangeCategory, "FileSystemPath", FileSystemPath, "FieldsChanged", FieldsChanged, "DateCreated", PreviousDateCreated, "DateModified", PreviousDateModified, "Hash", Hash),
+	"")
+	| extend Host_HostName = tostring(split(Computer, ".")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.')
+	| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain
+	| top 10 by Host_Aux_StartTimeUtc desc
 };
-ConfigChange('<Process_ImageFile>', '<Service_FileName>')
+ConfigChange('<Process_ImageFile>')
--- a/Queries/InputEntity_Process/WinHosts_WithThisProcess.yaml
+++ b/Queries/InputEntity_Process/WinHosts_WithThisProcess.yaml
@ -29,7 +29,7 @@ query: |
  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer
  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info
  | top 10 by min_TimeGenerated asc nulls last
-  | project-rename Host_UnstructuredName=Computer
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
  };
  // change <CommandLine> value below
  GetHostsWithProcess('<CommandLine>')