From e86c17507a096185676136247e709845c3e01fb8 Mon Sep 17 00:00:00 2001 From: Diana Damenova Date: Thu, 4 Apr 2024 19:10:42 -0400 Subject: [PATCH] initial commit --- .../PrivilegedAccountPermissionsChanged.yaml | 6 ++-- .../Dev-0270RegistryIOCSep2022.yaml | 21 ++++++++++---- .../Dev-0270WMICDiscoverySep2022.yaml | 21 ++++++++++---- .../InsiderRiskyAccessByApplication.yaml | 10 +++++-- .../FailedLogonAttempts_UnknownUser.yaml | 12 ++++---- .../Analytic Rules/URLEntity_AuditLogs.yaml | 21 ++++++++++---- .../imDns_DomainEntity_DnsEvents.yaml | 16 +++++++---- .../PotentialMercury_Webshell.yaml | 25 ++++++++++++----- .../CaramelTsunami_IOC_WindowsEvent.yaml | 28 +++++++++++++------ .../ChiaCryptoMining_WindowsEvent.yaml | 22 +++++++++++---- 10 files changed, 128 insertions(+), 54 deletions(-) diff --git a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml index 8a9307f7e1..08fd3dcbaa 100644 --- a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml +++ b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml @@ -53,7 +53,7 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: TargetUserPrincipalName - identifier: Name columnName: TargetAccountName @@ -65,7 +65,7 @@ entityMappings: columnName: TargetAadUserId - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: InitiatingAccountName - identifier: Name columnName: InitiatingAccountName @@ -75,5 +75,5 @@ entityMappings: fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId -version: 1.0.6 +version: 1.0.7 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270RegistryIOCSep2022.yaml b/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270RegistryIOCSep2022.yaml index ebc45f90f3..6d5018144d 100644 --- a/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270RegistryIOCSep2022.yaml +++ b/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270RegistryIOCSep2022.yaml @@ -27,23 +27,34 @@ query: | | where EventID == 4688 | where (CommandLine has_all ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f') and CommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource')) or CommandLine has_all ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@') - | project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type + | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type ), (DeviceProcessEvents | where (InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f') and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource') ) or InitiatingProcessCommandLine has_all('"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@') - | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName + | extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName ) ) + | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) + | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.1 + columnName: Computer + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml b/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml index 1af8b44b0e..d9b3c112d7 100644 --- a/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml +++ b/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml @@ -26,21 +26,32 @@ query: | (SecurityEvent | where EventID==4688 | where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe" - | project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type + | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type ), (DeviceProcessEvents | where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe" - | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName + | extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName ) ) + | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) + | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.2 + columnName: Computer + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.0.3 kind: Scheduled diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml b/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml index 40e52db59b..b4665b5881 100644 --- a/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml +++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml @@ -26,14 +26,18 @@ query: | | project Percent, UserPrincipalName, Location, AppDisplayName, RiskState // | lookup kind=inner _GetWatchlist('') on $left.UserPrincipalName == $right.SearchKey | sort by Percent desc - | extend AccountCustomEntity = UserPrincipalName + | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1]) eventGroupingSettings: aggregationKind: SingleAlert entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: UserPrincipalName + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix incidentConfiguration: createIncident: true groupingConfiguration: @@ -43,5 +47,5 @@ incidentConfiguration: matchingMethod: Selected groupByEntities: - Account -version: 1.1.3 +version: 1.1.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml b/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml index fa5857c56e..c2057f36bb 100644 --- a/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml +++ b/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml @@ -43,17 +43,17 @@ query: | // Calculate the time between first and last logon attempt (AttemptPeriodLength) | extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt | where TotalLogonAttempts >= threshold - | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP - | sort by DestinationHost asc nulls last - | extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress + | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP + | sort by Computer asc nulls last + | extend timestamp = FirstLogonAttempt entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.3 + columnName: HostIP +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml index 403a566c0f..4f81c40c6b 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml @@ -47,19 +47,30 @@ query: | | summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url - | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url + | extend timestamp = Audit_TimeGenerated + | extend AccountName = tostring(split(userPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, "@")[1]) + | extend HostName = tostring(split(TargetResourceDisplayName, ".")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: userPrincipalName + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: TargetResourceDisplayName + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity -version: 1.2.5 + columnName: Url +version: 1.2.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml index 934a931cba..d455fab888 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml @@ -68,20 +68,26 @@ query: | ) on $left.DomainName==$right.DnsQuery | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType - | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url + | extend timestamp = DNS_TimeGenerated + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: SrcIpAddr - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity + columnName: Url customDetails: LatestIndicatorTime: LatestIndicatorTime Description: Description @@ -94,5 +100,5 @@ customDetails: SourceIPAddress: SrcIpAddr DnsQuery: DnsQuery QueryType: DnsQueryType -version: 1.1.5 +version: 1.1.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml b/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml index 981fff113c..af12ca0dd9 100644 --- a/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml +++ b/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml @@ -41,13 +41,13 @@ query: | | where ObjectName endswith ".jsp" | summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId) on timekey, Computer, SubjectLogonId - | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer + | extend timestamp = TimeGenerated, Account, Computer ), (DeviceFileEvents | where InitiatingProcessFileName has_any ("java.exe", "javaw.exe") | where InitiatingProcessCommandLine has "SysAidServer" | where FileName endswith ".jsp" - | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName + | extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName ), (imFileEvent | where TimeGenerated > ago(timeframe) @@ -55,25 +55,36 @@ query: | | where ActingProcessName has_any ("java.exe", "javaw.exe") | where ActingProcessCommandLine has "SysAidServer" | where FilePath endswith ".jsp" - | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname + | extend timestamp = TimeGenerated, Account = ActorUsername, Computer = DvcHostname ) ) + | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0]) + | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Account + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.1 + columnName: Computer + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.0.2 kind: Scheduled metadata: source: kind: Scheduled author: - name: Ajeet Prakash + name: Microsoft Security Research support: tier: Community categories: diff --git a/Solutions/Windows Forwarded Events/Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml b/Solutions/Windows Forwarded Events/Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml index 9c132b56b2..0bafe41537 100644 --- a/Solutions/Windows Forwarded Events/Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml +++ b/Solutions/Windows Forwarded Events/Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml @@ -38,26 +38,36 @@ query: | (ParentProcessName has_any (file_path3)) | extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName) | extend NewProcessId = tostring(EventData.NewProcessId) - | extend IPCustomEntity = tostring(EventData.IpAddress) - | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity - | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' - + | extend IP = tostring(EventData.IpAddress) + | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IP + | extend timestamp = TimeGenerated, Alert = 'SOURGUM IOC detected' + | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0]) + | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: IP - entityType: Process fieldMappings: - identifier: ProcessId - columnName: ProcessCustomEntity -version: 1.0.3 + columnName: NewProcessName +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml b/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml index d39f75e8eb..9a779cfa81 100644 --- a/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml +++ b/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml @@ -34,21 +34,31 @@ query: | | extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected' | extend FilePath = replace_string(NewProcessName, File, '') | project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type - | extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath + | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0]) + | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Account + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: File fieldMappings: - identifier: Name - columnName: FileCustomEntity + columnName: File - identifier: Directory - columnName: FilePathCustomEntity -version: 1.0.3 + columnName: FilePath +version: 1.0.4 kind: Scheduled \ No newline at end of file