Merge pull request #10609 from Azure/v-shukore/AttackerToolsThreatProtectionEssentials

Added missing DC reference in Analytic Rule for Attacker Tools Threat Protection Essentials Solution

Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/CredentialDumpingServiceInstallation.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - Event
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - Event
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -41,5 +44,5 @@ entityMappings:
       columnName: HostName
     - identifier: DnsDomain
       columnName: DnsDomain
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/CredentialDumpingToolsFileArtifacts.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - Event
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - Event
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -42,5 +45,5 @@ entityMappings:
   fieldMappings:
     - identifier: CommandLine
       columnName: Image
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json

@@ -20,7 +20,7 @@
     "azuresentinel.azure-sentinel-solution-azureactivedirectory"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Attacker Tools Threat Protection Essentials",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true

Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/CobaltDNSBeacon.yaml

@@ -11,6 +11,9 @@ requiredDataConnectors:
   - connectorId: DNS
     dataTypes:
       - DnsEvents
+  - connectorId: ASimDnsActivityLogs
+    dataTypes:
+      - DnsEvents
   - connectorId: AzureMonitor(VMInsights)
     dataTypes:
       - VMConnection
@@ -49,4 +52,4 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: RemoteIP
-version: 1.0.1
+version: 1.0.2

Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.  \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire  \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.  \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire  \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -166,7 +166,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This hunting query depends on DNS AzureMonitor(VMInsights) data connector (DnsEvents VMConnection Parser or Table)"
+                  "text": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This hunting query depends on DNS ASimDnsActivityLogs AzureMonitor(VMInsights) data connector (DnsEvents DnsEvents VMConnection Parser or Table)"
                 }
               }
             ]

Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json

@@ -33,11 +33,11 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Attacker Tools Threat Protection Essentials",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "azuresentinel.azure-sentinel-solution-attackertools",
     "_solutionId": "[variables('solutionId')]",
     "huntingQueryObject1": {
-      "huntingQueryVersion1": "1.0.1",
+      "huntingQueryVersion1": "1.0.2",
       "_huntingQuerycontentId1": "dde206fc-3f0b-4175-bb5d-42d2aae9d4c9",
       "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dde206fc-3f0b-4175-bb5d-42d2aae9d4c9')))]"
     },
@@ -54,18 +54,18 @@
       "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd','-', '1.0.3')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.2",
+      "analyticRuleVersion2": "1.0.3",
       "_analyticRulecontentId2": "4ebbb5c2-8802-11ec-a8a3-0242ac120002",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4ebbb5c2-8802-11ec-a8a3-0242ac120002')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4ebbb5c2-8802-11ec-a8a3-0242ac120002')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4ebbb5c2-8802-11ec-a8a3-0242ac120002','-', '1.0.2')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4ebbb5c2-8802-11ec-a8a3-0242ac120002','-', '1.0.3')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.2",
+      "analyticRuleVersion3": "1.0.3",
       "_analyticRulecontentId3": "32ffb19e-8ed8-40ed-87a0-1adb4746b7c4",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','32ffb19e-8ed8-40ed-87a0-1adb4746b7c4','-', '1.0.2')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','32ffb19e-8ed8-40ed-87a0-1adb4746b7c4','-', '1.0.3')))]"
     },
     "analyticRuleObject4": {
       "analyticRuleVersion4": "1.3.1",
@@ -86,7 +86,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -157,9 +157,9 @@
         "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
         "contentKind": "HuntingQuery",
         "displayName": "Cobalt Strike DNS Beaconing",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
-        "version": "1.0.1"
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+        "version": "1.0.2"
       }
     },
     {
@@ -171,7 +171,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -256,7 +256,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -266,7 +266,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -411,7 +411,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -421,7 +421,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -443,6 +443,12 @@
                       "Event"
                     ],
                     "connectorId": "SecurityEvents"
+                  },
+                  {
+                    "dataTypes": [
+                      "Event"
+                    ],
+                    "connectorId": "WindowsSecurityEvents"
                   }
                 ],
                 "tactics": [
@@ -540,7 +546,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -550,7 +556,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -572,6 +578,12 @@
                       "Event"
                     ],
                     "connectorId": "SecurityEvents"
+                  },
+                  {
+                    "dataTypes": [
+                      "Event"
+                    ],
+                    "connectorId": "WindowsSecurityEvents"
                   }
                 ],
                 "tactics": [
@@ -669,7 +681,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -679,7 +691,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -925,12 +937,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Attacker Tools Threat Protection Essentials",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <strong>Attacker Tools Threat Protection Essentials</strong> solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions\">domain solution</a> and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Security Events</li>\n<li>Windows Server DNS</li>\n<li>Windows Forwarded Events</li>\n<li>Microsoft Entra ID</li>\n</ol>\n<p><strong>Keywords:</strong> attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire</p>\n<p><strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <strong>Attacker Tools Threat Protection Essentials</strong> solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions\">domain solution</a> and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Security Events</li>\n<li>Windows Server DNS</li>\n<li>Windows Forwarded Events</li>\n<li>Microsoft Entra ID</li>\n</ol>\n<p><strong>Keywords:</strong> attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire</p>\n<p><strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -984,7 +996,7 @@
               "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
               "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
             },
-			{
+            {
               "kind": "Solution",
               "contentId": "azuresentinel.azure-sentinel-solution-securityevents"
             },

Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                        |
 |-------------|--------------------------------|---------------------------------------------------------------------------|
+| 3.0.3       | 06-06-2024                     | Added missing AMA **Data Connector** reference in **Analytic rules** and **Hunting Queries**|
 | 3.0.2       | 07-02-2024                     | Tagged for dependent solutions for deployment                             |
 | 3.0.1       | 23-01-2024                     | Added subTechniques in Template                                           |
 | 3.0.0       | 06-11-2023                     | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.  |