initial commit

Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml

@@ -53,7 +53,7 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: Name
+      - identifier: FullName
         columnName: TargetUserPrincipalName
       - identifier: Name
         columnName: TargetAccountName
@@ -65,7 +65,7 @@ entityMappings:
         columnName: TargetAadUserId
   - entityType: Account
     fieldMappings:
-      - identifier: Name
+      - identifier: FullName
         columnName: InitiatingAccountName
       - identifier: Name
         columnName: InitiatingAccountName
@@ -75,5 +75,5 @@ entityMappings:
     fieldMappings:
       - identifier: AadUserId
         columnName: InitiatingAadUserId
-version: 1.0.6
+version: 1.0.7
 kind: Scheduled

Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270RegistryIOCSep2022.yaml

@@ -27,23 +27,34 @@ query: |
   | where EventID == 4688
   | where (CommandLine has_all  ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f') and CommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource'))
     or CommandLine has_all ('reg', 'add', 'HKLM\\SOFTWARE\\Policies\\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')
-  | project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
+  | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
   ),
   (DeviceProcessEvents 
   | where (InitiatingProcessCommandLine has_all(@'"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f') 
      and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource') ) 
      or InitiatingProcessCommandLine has_all('"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')
-  | extend timestamp = TimeGenerated, AccountCustomEntity =  InitiatingProcessAccountName, HostCustomEntity = DeviceName
+  | extend timestamp = TimeGenerated, Account =  InitiatingProcessAccountName, Computer = DeviceName
    )
    )
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
+  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
-version: 1.0.1
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.0.2
 kind: Scheduled

Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml

@@ -26,21 +26,32 @@ query: |
   (SecurityEvent
   | where EventID==4688
   | where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
-  | project TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
+  | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
   ),
   (DeviceProcessEvents 
   | where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
-  | extend timestamp = TimeGenerated, AccountCustomEntity =  InitiatingProcessAccountName, HostCustomEntity = DeviceName
+  | extend timestamp = TimeGenerated, Account =  InitiatingProcessAccountName, Computer = DeviceName
   )
   )
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
+  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
-version: 1.0.2
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.0.3
 kind: Scheduled

Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml

@@ -26,14 +26,18 @@ query: |
   | project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
   // | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
   | sort by Percent desc
-  | extend AccountCustomEntity = UserPrincipalName
+  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
 eventGroupingSettings:
   aggregationKind: SingleAlert
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: UserPrincipalName
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
 incidentConfiguration:
   createIncident: true
   groupingConfiguration:
@@ -43,5 +47,5 @@ incidentConfiguration:
     matchingMethod: Selected
     groupByEntities:
       - Account
-version: 1.1.3
+version: 1.1.4
 kind: Scheduled

Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml

@@ -43,17 +43,17 @@ query: |
   // Calculate the time between first and last logon attempt (AttemptPeriodLength)
   | extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
   | where TotalLogonAttempts >= threshold
-  | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP
+  | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP
-  | sort by DestinationHost asc nulls last
+  | sort by Computer asc nulls last
-  | extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress
+  | extend timestamp = FirstLogonAttempt 
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: HostIP
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml

@@ -47,19 +47,30 @@ query: |
   | summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url
   | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,
   OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url
-  | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url
+  | extend timestamp = Audit_TimeGenerated
+  | extend AccountName = tostring(split(userPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, "@")[1])
+  | extend HostName = tostring(split(TargetResourceDisplayName, ".")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: userPrincipalName
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: TargetResourceDisplayName
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: URLCustomEntity
+        columnName: Url
-version: 1.2.5
+version: 1.2.6
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml

@@ -68,20 +68,26 @@ query: |
   ) on $left.DomainName==$right.DnsQuery
   | where DNS_TimeGenerated < ExpirationDateTime
   | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
-  | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url
+  | extend timestamp = DNS_TimeGenerated
+  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Dvc
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: URLCustomEntity
+        columnName: Url
 customDetails:
   LatestIndicatorTime: LatestIndicatorTime
   Description: Description
@@ -94,5 +100,5 @@ customDetails:
   SourceIPAddress: SrcIpAddr
   DnsQuery: DnsQuery
   QueryType: DnsQueryType
-version: 1.1.5
+version: 1.1.6
 kind: Scheduled

Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml

@@ -41,13 +41,13 @@ query: |
   | where ObjectName endswith ".jsp" 
   | summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)
    on timekey, Computer, SubjectLogonId
-  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+  | extend timestamp = TimeGenerated, Account,  Computer
   ),
   (DeviceFileEvents 
   | where InitiatingProcessFileName has_any ("java.exe", "javaw.exe")  
   | where InitiatingProcessCommandLine has "SysAidServer"  
   | where FileName endswith ".jsp" 
-  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
+  | extend timestamp = TimeGenerated, Account = InitiatingProcessAccountName, Computer = DeviceName
   ),
   (imFileEvent
   | where TimeGenerated > ago(timeframe)
@@ -55,25 +55,36 @@ query: |
   | where ActingProcessName has_any ("java.exe", "javaw.exe") 
   | where ActingProcessCommandLine has "SysAidServer"  
   | where FilePath endswith ".jsp" 
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
+  | extend timestamp = TimeGenerated, Account = ActorUsername, Computer = DvcHostname
   )
   )
+  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
-version: 1.0.1
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:
         kind: Scheduled
     author:
-        name: Ajeet Prakash
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

Solutions/Windows Forwarded Events/Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml

@@ -38,26 +38,36 @@ query:  |
     (ParentProcessName has_any (file_path3)) 
   | extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
   | extend NewProcessId = tostring(EventData.NewProcessId)
-  | extend IPCustomEntity = tostring(EventData.IpAddress)
+  | extend IP = tostring(EventData.IpAddress)
-  | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity
+  | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IP
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'
+  | extend timestamp = TimeGenerated, Alert = 'SOURGUM IOC detected'
- 
+  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity 
+        columnName: IP 
   - entityType: Process
     fieldMappings:
       - identifier: ProcessId
-        columnName: ProcessCustomEntity
+        columnName: NewProcessName
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled

Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml

@@ -34,21 +34,31 @@ query:  |
   | extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'
   | extend FilePath = replace_string(NewProcessName, File, '')
   | project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type
-  | extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath
+  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Account
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: HostNameDomain
   - entityType: File
     fieldMappings:
       - identifier: Name
-        columnName: FileCustomEntity
+        columnName: File
       - identifier: Directory
-        columnName: FilePathCustomEntity
+        columnName: FilePath
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled