From b32769ac42b7dad96486eec4c80dca9cc405e774 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 12:28:14 +0530 Subject: [PATCH 01/13] Update GitLab_MaliciousIP.yaml excluding local IP/PrivateIP from the TI_ipEntity. --- Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml b/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml index ffe9a8b213..9800ab1192 100644 --- a/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml +++ b/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml @@ -30,6 +30,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + //Exclude local addresses using ipv4_is_private operator + |where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." | join (GitLabAccess) on $left.TI_ipEntity == $right.IPAddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TimeGenerated = EventTime, TI_ipEntity, IPAddress, URI From a4576d2a268c04a7902b1da5200c9cc19fa4c805 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 12:39:42 +0530 Subject: [PATCH 02/13] Update WebShellActivity.yaml Excluded local addresses using ipv4_is_private operator --- Hunting Queries/W3CIISLog/WebShellActivity.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Hunting Queries/W3CIISLog/WebShellActivity.yaml b/Hunting Queries/W3CIISLog/WebShellActivity.yaml index 60e240bce1..11bd605f61 100644 --- a/Hunting Queries/W3CIISLog/WebShellActivity.yaml +++ b/Hunting Queries/W3CIISLog/WebShellActivity.yaml @@ -36,7 +36,8 @@ query: | | where csUriStem !in~ (ignore_uristems) // Remove noisy uri stems in the final results by editing the ignore_uristems variable | extend suffix = strcat(".", split(split(csUriStem, "/")[-1], ".")[-1]) | extend is_script = iff(suffix in (script_extensions), 1, 0) - | where not(ipv4_is_private(cIP)) and cIP != "127.0.0.1" + //Exclude local addresses using ipv4_is_private operator + |where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | extend status_xx = strcat(substring(tostring(scStatus), 0, 1), 'XX') | serialize cIP, csUserAgent, TimeGenerated | extend SessionStarted = row_window_session(TimeGenerated, 30s, 3s, (cIP != prev(cIP)) and (csUserAgent != prev(csUserAgent)))); @@ -56,4 +57,4 @@ query: | | sort by dyn_to_non_dyn_ratio desc, num_dynamic_scripts desc | extend summary = pack('IPCustomEntity', cIP, 'user_agent', csUserAgent, 'num_dynamic_scripts', num_dynamic_scripts, 'set_dynamic_scripts', set_dynamic_scripts, 'num_non_dyn_scripts', num_non_dyn_scripts, 'set_non_dynamic_scripts', set_non_dynamic_scripts, 'ratio', dyn_to_non_dyn_ratio, 'Session_StartTime', SessionStarted) | summarize summaries=make_list(summary), num_of_sessions_on_day = count() by cIP, csUserAgent - | sort by num_of_sessions_on_day asc \ No newline at end of file + | sort by num_of_sessions_on_day asc From 6374cd17e40885d6ba822d26c4b879a424807b6c Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 12:43:16 +0530 Subject: [PATCH 03/13] Update RareUserAgentStrings.yaml //Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml b/Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml index 6f3d667444..55ae064db1 100644 --- a/Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml +++ b/Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml @@ -14,8 +14,8 @@ relevantTechniques: query: | W3CIISLog - // The below line can be used to exclude local IPs if these create noise - //| where cIP !startswith "192.168." and cIP != "::1" + //Exclude local addresses, using ipv4_is_private operator + |where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") | extend csUserAgent_size = string_size(csUserAgent) | project TimeGenerated, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, @@ -23,7 +23,7 @@ query: | | join ( W3CIISLog // The below line can be used to exclude local IPs if these create noise - //| where cIP !startswith "192.168." and cIP != "::1" + |where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") | extend csUserAgent_size = string_size(csUserAgent) | summarize csUserAgent_count = count() by bin(csUserAgent_size, 1) @@ -32,4 +32,4 @@ query: | | project TimeGenerated, sSiteName, sPort, sIP, cIP, csUserAgent, csUserAgent_size, csUserAgent_count, csUserName , csMethod, csUriStem, scStatus, scSubStatus, scWin32Status, csHost | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName - \ No newline at end of file + From c91a3881e5658fe616b172613d5556149af88202 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 12:46:40 +0530 Subject: [PATCH 04/13] Update ClientIPwithManyUserAgents.yaml Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml b/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml index 91ecdca604..a0272f3cb1 100644 --- a/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml +++ b/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml @@ -18,6 +18,8 @@ query: | W3CIISLog | where scStatus !startswith "20" and scStatus !startswith "30" and cIP !startswith "192.168." and cIP != sIP and cIP != "::1" + //Exclude local addresses, using ipv4_is_private operator + |where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makeset(csUserAgent), ConnectionCount = count() by Computer, sSiteName, sIP, sPort, cIP, csMethod | extend csUserAgentPerIPCount = arraylength(set_csUserAgent) From d1c6d1506b850a3d957934a8c295041561f4be7c Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:22:02 +0530 Subject: [PATCH 05/13] Update WebShellActivity.yaml Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/WebShellActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Hunting Queries/W3CIISLog/WebShellActivity.yaml b/Hunting Queries/W3CIISLog/WebShellActivity.yaml index 11bd605f61..e2d7a542c9 100644 --- a/Hunting Queries/W3CIISLog/WebShellActivity.yaml +++ b/Hunting Queries/W3CIISLog/WebShellActivity.yaml @@ -25,7 +25,8 @@ query: | let lookback_period = ( W3CIISLog | where TimeGenerated between (lookback .. starttime) - | where not(ipv4_is_private(cIP)) and cIP != "127.0.0.1" + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | summarize count() by cIP, csUserAgent | project cIP, csUserAgent ); From c92d44ef3573034b02fac5a83126930fbe6bcbf1 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:24:29 +0530 Subject: [PATCH 06/13] Update IPEntity_AppServiceHTTPLogs.yaml Exclude local addresses, using the ipv4_is_private operator --- .../IPEntity_AppServiceHTTPLogs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index ba8f763a07..07f183a3ad 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -31,6 +31,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack) From ccc9235227154649fc06ccad765f4a13b21b739a Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:27:15 +0530 Subject: [PATCH 07/13] Update IPEntity_W3CIISLog.yaml Exclude local addresses, using the ipv4_is_private operator --- .../ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml index 4aaafe9c4e..af7f354d44 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml @@ -34,11 +34,15 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( W3CIISLog | where TimeGenerated >= ago(dt_lookBack) | where isnotempty(cIP) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." // renaming time column so it is clear the log this came from | extend W3CIISLog_TimeGenerated = TimeGenerated ) @@ -67,4 +71,4 @@ entityMappings: - identifier: Url columnName: URLCustomEntity version: 1.2.1 -kind: Scheduled \ No newline at end of file +kind: Scheduled From e8b79a46b7d712d1d33827bbfc6471f942704e5c Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:36:50 +0530 Subject: [PATCH 08/13] Update SuspectedMailBoxExportHostonOWA.yaml Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml index 614992e7cf..adc109dc84 100644 --- a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml +++ b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml @@ -33,6 +33,8 @@ query: | | extend file_name = tostring(split(csUriStem, "/")[-1]) | where file_name != "" | where cIP !in~ (excludeIps) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | project file_ext, csUriStem, file_name, Computer, cIP, sIP, TenantId, TimeGenerated | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(cIP), AccessingIPs=make_set(cIP), AccessTimes=make_set(TimeGenerated), Access=count() by TenantId, file_name, Computer, csUriStem //Collection of the exfiltration will occur only once, lets check for 2 accesses in case they mess up From bca4d5f23432d0db1d6bab21f619f0861a3c1fcd Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:37:54 +0530 Subject: [PATCH 09/13] Update ExchangeServerProxyLogonURI.yaml Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml b/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml index 95918845d1..0dba53eddd 100644 --- a/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml +++ b/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml @@ -15,7 +15,8 @@ tags: query: | W3CIISLog - | where not(ipv4_is_private(cIP)) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)") | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent | extend timestamp = TimeGenerated @@ -27,4 +28,4 @@ entityMappings: - identifier: DestinationPort columnName: sPort - identifier: SourceAddress - columnName: cIP \ No newline at end of file + columnName: cIP From f9782580053e7fe49444211b5f171f48423de512 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:38:49 +0530 Subject: [PATCH 10/13] Update SuspectedProxyTokenExploitation.yaml Exclude local addresses, using the ipv4_is_private operator --- Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml b/Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml index 5fbff2ed77..e143e6a7f4 100644 --- a/Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml +++ b/Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml @@ -13,7 +13,8 @@ relevantTechniques: - T1190 query: | W3CIISLog - | where not(ipv4_is_private(cIP)) + //Exclude local addresses, using the ipv4_is_private operator + | where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." | where csMethod =~ "POST" | where csUriStem has "/ecp" | where isnotempty(csCookie) and csCookie has "SecurityToken" From faefbb5a845356ef1b3b7ed20e67a5323583063d Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:53:10 +0530 Subject: [PATCH 11/13] Update GitLab_MaliciousIP.yaml updating the version --- Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml b/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml index 9800ab1192..0528c8755e 100644 --- a/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml +++ b/Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml @@ -44,5 +44,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.0 +version: 1.0.1 kind: Scheduled From c0bf0693d4e01945ebf3aa05920b1d469159ab21 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:53:53 +0530 Subject: [PATCH 12/13] Update IPEntity_AppServiceHTTPLogs.yaml version update --- .../IPEntity_AppServiceHTTPLogs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index 07f183a3ad..70c3048616 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -68,5 +68,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: _ResourceId -version: 1.2.2 +version: 1.2.3 kind: Scheduled From e0b110b24e1f5beebe03edf740faaca815ac2244 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Tue, 26 Apr 2022 14:55:48 +0530 Subject: [PATCH 13/13] Update IPEntity_W3CIISLog.yaml updated the version --- Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml index af7f354d44..df7a8f19bf 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.2.1 +version: 1.2.2 kind: Scheduled