Rule migration resource uploads

Tools/RuleMigration/AnalyticsUseCases.md

@@ -0,0 +1,17 @@
+## Azure Sentinel Analytics Usecases 
+
+
+
+
+|No|Use-case       |Artefacts           |
+|--|---------------|--------------------|
+|1|Receive an alert when users are accessing resources outside a specified time range.|Data Sources – Azure AD Sign-in logs, Defined time range Azure AD Group<br> that will be monitored for login activity, a logic app that pulls members of AD Group<br> into a LA table, Analytics rule that will trigger an incident when a member of the AD Group<br> signs in outside of the defined time range. KQL Query:<span style="color:lightblue"><pre>SigninLogs &#124;extend TimeInUK = CreatedDateTime&#124;extend day = (dayofweek(TimeInUK))<br>&#124; extend daystarting = tostring(day) //daystrating definitions, 1=Monday, 2=Tuesday,<br> 3=Wednesday, 4=Thursday, 5=Friday, 6=Saturday, 7=Sunday&#124; where daystarting<br> == "6.00:00:00" or daystarting == "7.00:00:00" or hourofday(TimeInUK)<br> !between (7...18)&#124; project TimeGenerated , TimeInUK , UserPrincipalName<br> , day , AppDisplayName , username = UserPrincipalName &#124; <br>join (UserWatchlist_CL &#124; project-rename username = Username_s )<br> on username &#124; project TimeInUK , day , username , AppDisplayName)*</span></pre>|
+|2|Use a watchlist to dismiss expected alerts|Data Sources – Azure Defender for IoT, list of user and device pairs uploaded into a Watchlist,<br> Analytics rule that will look up the watchlist and a Playbook that will close incidents from expected alerts.KQL Query:<span style="color:lightblue"><pre>let alert = (SecurityAlert &#124; where TimeGenerated > ago(14d) &#124;where DisplayName<br> == "Brute force attempt"&#124;extend DeviceID = tostring(parse_json(ExtendedProperties)<br>"DeviceId"])&#124; extend UserID = tostring(parse_json(ExtendedProperties)["UserId"])<br>&#124;extend UserName = tostring(parse_json(ExtendedProperties)["UserName"])<br>&#124; project DeviceID, UserName,SystemAlertId);let watchlst =<br> (_GetWatchlist("iwatch"));alert&#124; join kind=inner watchlst on<br> $left.DeviceID == $right.device and $left.UserName == $right.username</span></pre>|
+|3|Detect priviledge escalation-user created then deleted within 10 minutes  |Data sources: Azure AD and Windows Security Events. KQL Query: <span style="color:lightblue"><pre>let timeframe = 10m;let lookback = 1d;let account_created =SecurityEvent<br> &#124; where TimeGenerated > ago(lookback+timeframe)&#124; where EventID == "4720"<br> // A user account was created&#124; where AccountType =~ "User"<br>&#124; project creationTime = TimeGenerated, CreateEventID =<br>EventID,Activity, Computer, TargetUserName, UserPrincipalName,<br> AccountUsedToCreate = SubjectUserName, TargetSid,<br> SubjectUserSid;account_created &#124; join kind= inner (account_deleted)<br> on Computer, TargetUserName&#124; where deletionTime - creationTime<br> < lookback&#124; where tolong(deletionTime - creationTime)<br> >= 0&#124;extend timestamp = creationTime, AccountCustomEntity<br> = AccountUsedToCreate, HostCustomEntity = Computer*</span></pre>|
+|4|Detect Solorigate Network Beacon|Data sources: DNS, CISCO ASA, Palo Alto Networks, Microsoft 365 Defender. KQL Query: <span style="color:lightblue"><pre>let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);let timeframe = 6h;(union isfuzzy=true(CommonSecurityLog &#124; where TimeGenerated >= ago(timeframe)&#124; parse Message with * '(' DNSName ')' *  &#124; where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)  &#124; extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP  ),(DnsEvents  &#124; where TimeGenerated >= ago(timeframe) &#124; extend DNSName = Name&#124; where isnotempty(DNSName)&#124; where DNSName in~ (domains) &#124; extend IPCustomEntity = ClientIP),VMConnection&#124; where TimeGenerated >= ago(timeframe)&#124; parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *&#124; where isnotempty(DNSName)&#124; where DNSName in~ (domains)&#124; extend IPCustomEntity = RemoteIp ),(DeviceNetworkEvents &#124; where TimeGenerated >= ago(timeframe)&#124; where isnotempty(RemoteUrl)&#124; where RemoteUrl  has_any (domains)&#124; extend DNSName = RemoteUrl&#124; extend IPCustomEntity = RemoteIP&#124; extend HostCustomEntity = DeviceName)) *</span></pre>|
+|5 |An IP address that had (failed) attempts to sign in to one or more disabled accounts signed in successfully to another account.|Data Sources: Azure AD.Analytics that looks for specific Azure AD Sign-In log entries<br> 50057 = User account is disabled.The account has been disabled by an administrator.KQL Query: <span style="color:lightblue"><pre>let lookBack = 1d;SigninLogs &#124; where TimeGenerated >= ago(lookBack)<br>&#124; where ResultType == "50057"&#124; where ResultDescription == "User account<br> is disabled.The account has been disabled by an administrator."&#124;<br> summarize StartTimeUtc = min(TimeGenerated),EndTimeUtc<br> = max(TimeGenerated),<br> disabledAccountLoginAttempts = count(),disabledAccountsTargeted<br> = dcount(UserPrincipalName), applicationsTargeted<br> = dcount(AppDisplayName), disabledAccountSet<br> = makeset(UserPrincipalName),applicationSet<br> = makeset(AppDisplayName) by IPAddress&#124; order by<br> disabledAccountLoginAttempts desc&#124; join<br> kind= leftouter (// Consider these IPs suspicious - and alert<br> any related successful sign-insSigninLogs&#124; where TimeGenerated<br> >= ago(lookBack)&#124; where ResultType == 0&#124; summarize <br>successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet<br> = makeset(UserPrincipalName, 15) by IPAddress// Assume IPs associated with sign-ins<br> from 100+ distinct user accounts are safe&#124; where successfulAccountSigninCount<br> < 100) on IPAddress// IPs from which attempts to authenticate<br> as disabled user accounts originated, and had a non-zero<br> success rate for some other account&#124; where successfulAccountSigninCount<br> != 0&#124; project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts,<br> disabledAccountsTargeted, disabledAccountSet, applicationSet,<br> successfulAccountSigninCount,successfulAccountSigninSet&#124;<br> order by disabledAccountLoginAttempts&#124; extend timestamp = <br>StartTimeUtc,IPCustomEntity = IPAddress</span></pre>|
+|6|Detect Brute Force attack based on statistical detections|Data sources: Azure AD. KQL Query:<span style="color:lightblue"><pre>let signin_threshold = toscalar(SigninLogs &#124; where TimeGenerated >= startofday(ago(7d))<br> and TimeGenerated < startofday(now()) &#124; where ResultType !in ("0", "50125", "50140")<br> &#124; where IPAddress != "127.0.0.1" &#124; summarize cnt=count() by IPAddress, bin(TimeGenerated, 1d)<br> &#124; summarize percentile(cnt, 95)); &#124; SigninLogs&#124; where signin_threshold > 10 and Location == "KE"</span></pre>|
+
+
+
+

Tools/RuleMigration/KQL Optimization.md

@@ -0,0 +1,7 @@
+### KQL Optimization Resources
+
+|No|Resources           |
+|--|--------------------|
+|1 | [KQL Query best practices](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices)  |
+|2 | [Optimize Queries in Azure Monitor Logs](https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-optimization) | 
+|3 | [Optimizing KQL performance-Webinar](https://youtu.be/jN1Cz0JcLYU) |