Fixes
This commit is contained in:
Pete Bryan
Родитель
8c900dafa2
Коммит
e030abc8e7
|
|
@ -19,7 +19,7 @@ query: |
|
|||
let lookback = starttime - 14d;
|
||||
let midtime = starttime - 1d;
|
||||
// Generating historical table of all events per AccountId and Region
|
||||
let EventInfo_CurrentDay = materialize (AWSCloudTrail | where TimeGenerated >= between(starttime..endtime);
|
||||
let EventInfo_CurrentDay = materialize (AWSCloudTrail | where TimeGenerated between(starttime..endtime);
|
||||
let EventInfo_historical = AWSCloudTrail | where TimeGenerated between (lookback..midtime)) | summarize max(TimeGenerated) by AWSRegion, UserIdentityAccountId;
|
||||
// Doing Leftanti join to find new regions historically not seen for the same account.
|
||||
let EventInfo_Unseen = materialize (
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ query: |
|
|||
AwsBucketAPILogs_CL
|
||||
| where EventTime between (lookback..endtime)
|
||||
| where EventName == "GetObject"
|
||||
| make-series Total=sum(BytesTransferredOut) on EventTime from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;
|
||||
| make-series Total=sum(BytesTransferredOut) on EventTime from startofday(starttime) to startofday(endtime) step timeframe;
|
||||
// Use the time series data prepared in previous step with time series aomaly function to generate baseline pattern and flag the outlier based on scorethreshold value.
|
||||
let TimeSeriesAlerts = TimeSeriesData
|
||||
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let auditLookback = startttime - 14d;
|
||||
let auditLookback = starttime - 14d;
|
||||
// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded
|
||||
let threshold = 3;
|
||||
// Helper function to extract relevant fields from AuditLog events
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ query: |
|
|||
let propertyIgnoreList = dynamic(["TargetId.UserType", "StsRefreshTokensValidFrom", "LastDirSyncTime", "DeviceOSVersion", "CloudDeviceOSVersion", "DeviceObjectVersion"]);
|
||||
let appIgnoreList = dynamic(["Microsoft Azure AD Group-Based Licensing"]);
|
||||
let AuditTrail = AuditLogs
|
||||
| where TimeGenerated >= ago(auditLookback) and TimeGenerated < starttime
|
||||
| where TimeGenerated between(auditLookback..starttime)
|
||||
| where isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).displayName))
|
||||
| extend InitiatedByApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
|
||||
| extend ModProps = TargetResources.[0].modifiedProperties
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ query: |
|
|||
| where isnotempty(FileURI) and isnotempty(commandToExecute)
|
||||
| summarize max(TimeGenerated), OperationCount = count() by Caller, Resource, CallerIpAddress, FileURI, commandToExecute;
|
||||
let CurrentCustomScriptExecution = CustomScriptExecution
|
||||
| where TimeGenerated beteeen (starttime..endtime)
|
||||
| where TimeGenerated between (starttime..endtime)
|
||||
| where isnotempty(FileURI) and isnotempty(commandToExecute)
|
||||
| project TimeGenerated, ActivityStatus, OperationId, CorrelationId, ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup, FileURI, commandToExecute, FailureMessage = message_, HTTPRequest, Settings;
|
||||
let RareCustomScriptExecution = CurrentCustomScriptExecution
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ query: |
|
|||
// Set the period for detections
|
||||
// Get a list of previous Release Pipeline creators to exclude
|
||||
let releaseusers = AzureDevOpsAuditing
|
||||
| where TimeGenerated > ago(timeback) and TimeGenerated < starttime
|
||||
| where TimeGenerated between(ago(lookback)..starttime)
|
||||
| where OperationName =~ "Release.ReleasePipelineCreated"
|
||||
// We want to look for users performing actions in specific organizations so we creat this userscope object to match on
|
||||
| extend UserScope = strcat(ActorUPN, "-", ProjectName)
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ query: |
|
|||
let EndLearningTime = starttime - LearningPeriod;
|
||||
let NumberOfStds = 3;
|
||||
let MinThreshold = 10.0;
|
||||
let EndRunTime = StartTime - RunTime;
|
||||
let EndLearningTime = StartTime + LearningPeriod;
|
||||
let GitHubRepositoryDestroyEvents = (GitHubAudit
|
||||
| where Action == "repo.destroy");
|
||||
GitHubRepositoryDestroyEvents
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ query: |
|
|||
| distinct AADClientId
|
||||
| join kind=rightanti(
|
||||
LAQueryLogs
|
||||
| where TimeGenerated > between(starttime..endtime)
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
| where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
|
||||
)
|
||||
on AADClientId
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ query: |
|
|||
| where TimeGenerated between(startofday(ago(lookback))..starttime)
|
||||
| summarize by AADEmail
|
||||
| join kind = rightanti (LAQueryLogs
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
| where TimeGenerated between(starttime..endtime))
|
||||
on AADEmail
|
||||
| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ query: |
|
|||
let threshold = 0;
|
||||
LAQueryLogs
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
| make-series rows = sum(ResponseRowCount) on TimeGenerated in range(ago(lookback), endtime, 1h)
|
||||
| make-series rows = sum(ResponseRowCount) on TimeGenerated in range(starttime - lookback, endtime, 1h)
|
||||
| extend (anomalies, score, baseline) = series_decompose_anomalies(rows,3, -1, 'linefit')
|
||||
| mv-expand anomalies to typeof(int), score to typeof(double), TimeGenerated to typeof(datetime)
|
||||
| where anomalies > threshold
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ query: |
|
|||
let diff = 5;
|
||||
let anomolous_users = (
|
||||
LAQueryLogs
|
||||
| where TimeGenerated between(startofday(ago(lookback))..startime)
|
||||
| where TimeGenerated between(startofday(ago(lookback))..starttime)
|
||||
| summarize score=sum(ResponseRowCount) by AADEmail
|
||||
| join kind = fullouter (LAQueryLogs
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ relevantTechniques:
|
|||
- T1020
|
||||
query: |
|
||||
|
||||
let timeframe = 1h
|
||||
let timeframe = 1h;
|
||||
let threshold = 10;
|
||||
LAQueryLogs
|
||||
| where ResponseCode != 200
|
||||
|
|
|
|||
|
|
@ -71,8 +71,8 @@ query: |
|
|||
) on $left.InitiatedBy_Caller == $right.TargetUserName;
|
||||
// union the user addition events and resource addition events and provide common column names, additionally pack the value, property and resource info to reduce result set.
|
||||
UserAddWithResource
|
||||
| union isfuzzy=true ResourceMatch
|
||||
| union isfuzzy=true(ResourceMatch
|
||||
| extend PropertySet = pack("Value", Value, "PropertyName_ResourceId", PropertyName_ResourceId)
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName
|
||||
| order by StartTimeUtc asc
|
||||
| order by StartTimeUtc asc)
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress
|
||||
|
|
@ -16,7 +16,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let historical_bots = (
|
||||
OfficeActivity
|
||||
| where TimeGenerated between(lookback..starttime)
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let historicalActivity=
|
||||
OfficeActivity
|
||||
| where TimeGenerated between(lookback..starttime)
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let historicalActivity=
|
||||
OfficeActivity
|
||||
| where RecordType == "SharePointFileOperation"
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let historicalActivity=
|
||||
OfficeActivity
|
||||
| where RecordType == "SharePointFileOperation"
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let historicalUA=
|
||||
OfficeActivity
|
||||
| where RecordType == "SharePointFileOperation"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ tactics:
|
|||
query: |
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 14d;
|
||||
let lookback = starttime - 14d;
|
||||
let out_msg = ProofpointPOD
|
||||
| where TimeGenerated between (lookback..starttime)
|
||||
| where EventType == 'message'
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ query: |
|
|||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let lookback = startime - 7d;
|
||||
let lookback = starttime - 7d;
|
||||
// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
||||
// The SIDs for DnsAdmins and DnsUpdateProxy can be different than *-1102 and -*1103. Check these SIDs in your domain before running the query
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ query: |
|
|||
let lookback = starttime - 14d;
|
||||
let known_procs = (
|
||||
SecurityEvent
|
||||
| where TimeGenerated between(lookback..startime)
|
||||
| where TimeGenerated between(lookback..starttime)
|
||||
| where EventID == 4688
|
||||
| where ParentProcessName hassuffix "w3wp.exe"
|
||||
| extend ProcessHost = strcat(Process, "-", Computer)
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ query: |
|
|||
| where TimeGenerated between(lookback..endtime)
|
||||
| where EventID == 4688
|
||||
| summarize FullCount = count()
|
||||
, Count= countif(TimeGenerated between (startime .. endtime))
|
||||
, Count= countif(TimeGenerated between (starttime .. endtime))
|
||||
, min_TimeGenerated=min(TimeGenerated)
|
||||
, max_TimeGenerated=max(TimeGenerated)
|
||||
by Computer, NewProcessName
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ query: |
|
|||
let lookback = startime - 14d;
|
||||
let disabledAccounts = (){
|
||||
SigninLogs
|
||||
| where TimeGenerated between(lookback..starttime))
|
||||
| where TimeGenerated between(lookback..starttime)
|
||||
| where ResultType == 50057
|
||||
| where ResultDescription =~ "User account is disabled. The account has been disabled by an administrator."
|
||||
};
|
||||
|
|
|
|||
|
|
@ -16,8 +16,11 @@ relevantTechniques:
|
|||
- T1030
|
||||
query: |
|
||||
|
||||
let starttime = todatetime('{{StartTimeISO}}');
|
||||
let endtime = todatetime('{{EndTimeISO}}');
|
||||
let TimeSeriesData =
|
||||
Syslog
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
| where ProcessName contains "squid"
|
||||
| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)",3,SyslogMessage),
|
||||
SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage),
|
||||
|
|
@ -30,7 +33,7 @@ query: |
|
|||
contentType = extract("([a-z/]+$)",1,SyslogMessage)
|
||||
| extend TLD = extract("\\.[a-z]*$",0,Domain)
|
||||
| where isnotempty(Bytes)
|
||||
| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by ProcessName;
|
||||
| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(starttime) to startofday(endtime) step timeframe by ProcessName;
|
||||
TimeSeriesData
|
||||
| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent,3, -1, 'linefit')
|
||||
| extend timestamp = TimeGenerated
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче