initial commit
This commit is contained in:
Родитель
ef7a74aee7
Коммит
e86c17507a
|
@ -53,7 +53,7 @@ query: |
|
|||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
- identifier: FullName
|
||||
columnName: TargetUserPrincipalName
|
||||
- identifier: Name
|
||||
columnName: TargetAccountName
|
||||
|
@ -65,7 +65,7 @@ entityMappings:
|
|||
columnName: TargetAadUserId
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
- identifier: FullName
|
||||
columnName: InitiatingAccountName
|
||||
- identifier: Name
|
||||
columnName: InitiatingAccountName
|
||||
|
@ -75,5 +75,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: AadUserId
|
||||
columnName: InitiatingAadUserId
|
||||
version: 1.0.6
|
||||
version: 1.0.7
|
||||
kind: Scheduled
|
|
@ -27,23 +27,34 @@ query: |
|
|||
| where EventID == 4688
|
||||
| where (CommandLine has_all ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f') and CommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource'))
|
||||
or CommandLine has_all ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')
|
||||
| project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
|
||||
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
|
||||
),
|
||||
(DeviceProcessEvents
|
||||
| where (InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f')
|
||||
and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource') )
|
||||
or InitiatingProcessCommandLine has_all('"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
|
||||
| extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName
|
||||
)
|
||||
)
|
||||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.0.1
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
|
@ -26,21 +26,32 @@ query: |
|
|||
(SecurityEvent
|
||||
| where EventID==4688
|
||||
| where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
|
||||
| project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
|
||||
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
|
||||
),
|
||||
(DeviceProcessEvents
|
||||
| where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
|
||||
| extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName
|
||||
)
|
||||
)
|
||||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.0.2
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
|
@ -26,14 +26,18 @@ query: |
|
|||
| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
|
||||
// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
|
||||
| sort by Percent desc
|
||||
| extend AccountCustomEntity = UserPrincipalName
|
||||
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: UserPrincipalName
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
|
@ -43,5 +47,5 @@ incidentConfiguration:
|
|||
matchingMethod: Selected
|
||||
groupByEntities:
|
||||
- Account
|
||||
version: 1.1.3
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
|
@ -43,17 +43,17 @@ query: |
|
|||
// Calculate the time between first and last logon attempt (AttemptPeriodLength)
|
||||
| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
|
||||
| where TotalLogonAttempts >= threshold
|
||||
| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP
|
||||
| sort by DestinationHost asc nulls last
|
||||
| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress
|
||||
| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP
|
||||
| sort by Computer asc nulls last
|
||||
| extend timestamp = FirstLogonAttempt
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: Computer
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.3
|
||||
columnName: HostIP
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
|
|
|
@ -47,19 +47,30 @@ query: |
|
|||
| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url
|
||||
| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,
|
||||
OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url
|
||||
| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url
|
||||
| extend timestamp = Audit_TimeGenerated
|
||||
| extend AccountName = tostring(split(userPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, "@")[1])
|
||||
| extend HostName = tostring(split(TargetResourceDisplayName, ".")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: userPrincipalName
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: TargetResourceDisplayName
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: URLCustomEntity
|
||||
version: 1.2.5
|
||||
columnName: Url
|
||||
version: 1.2.6
|
||||
kind: Scheduled
|
|
@ -68,20 +68,26 @@ query: |
|
|||
) on $left.DomainName==$right.DnsQuery
|
||||
| where DNS_TimeGenerated < ExpirationDateTime
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
|
||||
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url
|
||||
| extend timestamp = DNS_TimeGenerated
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: Dvc
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
columnName: SrcIpAddr
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: URLCustomEntity
|
||||
columnName: Url
|
||||
customDetails:
|
||||
LatestIndicatorTime: LatestIndicatorTime
|
||||
Description: Description
|
||||
|
@ -94,5 +100,5 @@ customDetails:
|
|||
SourceIPAddress: SrcIpAddr
|
||||
DnsQuery: DnsQuery
|
||||
QueryType: DnsQueryType
|
||||
version: 1.1.5
|
||||
version: 1.1.6
|
||||
kind: Scheduled
|
|
@ -41,13 +41,13 @@ query: |
|
|||
| where ObjectName endswith ".jsp"
|
||||
| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)
|
||||
on timekey, Computer, SubjectLogonId
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
|
||||
| extend timestamp = TimeGenerated, Account, Computer
|
||||
),
|
||||
(DeviceFileEvents
|
||||
| where InitiatingProcessFileName has_any ("java.exe", "javaw.exe")
|
||||
| where InitiatingProcessCommandLine has "SysAidServer"
|
||||
| where FileName endswith ".jsp"
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
|
||||
| extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName
|
||||
),
|
||||
(imFileEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
|
@ -55,25 +55,36 @@ query: |
|
|||
| where ActingProcessName has_any ("java.exe", "javaw.exe")
|
||||
| where ActingProcessCommandLine has "SysAidServer"
|
||||
| where FilePath endswith ".jsp"
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
|
||||
| extend timestamp = TimeGenerated, Account = ActorUsername, Computer = DvcHostname
|
||||
)
|
||||
)
|
||||
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
|
||||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.0.1
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
kind: Scheduled
|
||||
author:
|
||||
name: Ajeet Prakash
|
||||
name: Microsoft Security Research
|
||||
support:
|
||||
tier: Community
|
||||
categories:
|
||||
|
|
|
@ -38,26 +38,36 @@ query: |
|
|||
(ParentProcessName has_any (file_path3))
|
||||
| extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
|
||||
| extend NewProcessId = tostring(EventData.NewProcessId)
|
||||
| extend IPCustomEntity = tostring(EventData.IpAddress)
|
||||
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'
|
||||
|
||||
| extend IP = tostring(EventData.IpAddress)
|
||||
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IP
|
||||
| extend timestamp = TimeGenerated, Alert = 'SOURGUM IOC detected'
|
||||
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
|
||||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
columnName: IP
|
||||
- entityType: Process
|
||||
fieldMappings:
|
||||
- identifier: ProcessId
|
||||
columnName: ProcessCustomEntity
|
||||
version: 1.0.3
|
||||
columnName: NewProcessName
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
|
@ -34,21 +34,31 @@ query: |
|
|||
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'
|
||||
| extend FilePath = replace_string(NewProcessName, File, '')
|
||||
| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type
|
||||
| extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath
|
||||
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
|
||||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
columnName: Account
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: Computer
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: File
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: FileCustomEntity
|
||||
columnName: File
|
||||
- identifier: Directory
|
||||
columnName: FilePathCustomEntity
|
||||
version: 1.0.3
|
||||
columnName: FilePath
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
Загрузка…
Ссылка в новой задаче