Ashwin Patil
2aa1ca0fd7
updated make_set limit to 100
2020-12-03 16:23:19 -08:00
Ashwin Patil
963748ac5d
adding limit to make_set to scale performance
2020-12-03 16:12:05 -08:00
Ashwin Patil
457fe22a27
description and threshold to reduce FPs
2020-12-03 16:05:05 -08:00
Shain Wray (MSTIC)
f886a062e0
Fixing typo
2020-12-03 09:54:18 -08:00
Julien CLEMENT
ec8eb1a990
Merge branch 'master' into AFAD-connector
2020-12-03 10:35:04 +01:00
Ashwin Patil
e9ed3c3c19
fix GUIDs per build failures
2020-12-02 20:05:18 -08:00
Ashwin Patil
c51c4b4e2d
fix build failures
2020-12-02 19:02:48 -08:00
Ashwin Patil
4e40b106db
doclink and unusued KQL fixes
2020-12-02 18:52:36 -08:00
Ashwin Patil
0d8ab7fca3
fix for Keyvault
2020-12-02 18:46:40 -08:00
Ashwin Patil
a7b00b15a8
timeseries fixes
2020-12-02 18:11:35 -08:00
Ashwin Patil
08a6e3cca5
file rename, entity mappings
2020-12-02 18:11:10 -08:00
Ashwin Patil
90492f830e
added new detection for timeseries for Office
2020-12-02 09:34:50 -08:00
Shain Wray (MSTIC)
315d3bfd14
including new entity mapping information
2020-12-02 08:19:12 -08:00
Shain
7f267d4132
Merge pull request #1341 from Azure/shainw-removeKeyDecrypt
...
Update KeyVaultSensitiveOperations.yaml
2020-12-01 18:23:54 -08:00
Shain
b33bdbd8b3
Update NewAppOrServicePrincipalCredential.yaml
...
Moving the filtering a bit higher in the query to improve perf, plus changing the name of InitiatingUser to InitiatingUserOrApp so it is clear this can come from 2 different values.
2020-12-01 16:01:00 -08:00
Nick Carr
00feaec7fc
Update NewAppOrServicePrincipalCredential.yaml
...
Filtered additional non-user events by simplifying the final InitiatingUser filter
2020-12-01 01:35:16 -05:00
Nick Carr
d948763a88
Update and rename NewKeyIdentifierAddedToOAuthApp.yaml to NewAppOrServicePrincipalCredential.yaml
...
Minor changes:
* casted extracted variables tostring()s
* expanded logic to include all three (3) event types for both Applications and Service Principals - with an added filter
2020-11-30 22:42:31 -05:00
Nick Carr
b742141cc2
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
Improving documentation & comments
2020-11-30 21:41:15 -05:00
Nick Carr
88544d4d42
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
cleaning up & re-ordering output slightly
2020-11-30 16:44:03 -05:00
Nick Carr
6d8843766f
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
Removed locale in documentation reference
2020-11-30 16:31:56 -05:00
Nick Carr
cb0dff88c4
Initial proposal of keyIdentifier detection events
...
TODO:
* re-pack and display helpful investigative fields TargetId.ServicePrincipalNames, ServicePrincipalName, ActorId.ServicePrincipalNames, DisplayName
* explore time series anomalies, new IP address activity
* join other helpful investigative data based on correlationId
2020-11-30 16:23:43 -05:00
Shain
98f426fcce
Merge pull request #1342 from Azure/shainw-AddDomainNameEntity
...
Update MultiVendor-PossibleDGAContacts.yaml
2020-11-25 07:26:06 -08:00
Shain
30d61e126d
Merge pull request #1318 from vaniMSTIC/vaasawa-mstic
...
Create MaliciousWAFSessions.yaml
2020-11-23 07:48:17 -08:00
vaniMSTIC
d47acc4e96
Update MaliciousWAFSessions.yaml
...
Shain's feedback #2
2020-11-23 11:09:51 +00:00
Yaron
3a4a479b1c
Expansions strongify ( #1329 )
...
* Expansions strongify
Mapping stringer identifiers
* Fixing these up a bit to simplify and output additional entity mappings
* Couple other tweaks
Co-authored-by: Shain Wray (MSTIC) <shainw@microsoft.com>
2020-11-22 09:07:55 +02:00
vaniMSTIC
eed743d86a
Update MaliciousWAFSessions.yaml
...
- Change timeStamp_t to TimeGenerated
- Send email to Shain regarding creation of customer schema template
2020-11-20 10:34:08 +00:00
Shain
d13f1b6e61
Update MultiVendor-PossibleDGAContacts.yaml
2020-11-19 12:52:50 -08:00
Shain
d74233ae34
Update KeyVaultSensitiveOperations.yaml
...
Removing KeyDecrypt, this replaces only this portion from PR #1262 which we are closing as other changes are not required.
2020-11-19 12:47:33 -08:00
Shain
3eefe252d5
Merge pull request #1331 from lreading/bugfix/typo-361dd1e3-1c11-491e-82a3-bb2e44ac36ba
...
Fixing typo in description of "Suspicious number of resource creation or deployment activities"
2020-11-19 09:59:51 -08:00
pemontto
fa85e7f722
Remove inconsistent BOMs from detections
2020-11-19 16:57:39 +00:00
necoh
1beae7fec4
Update KnownPHOSPHORUSDomainsIP-October2020.yaml
...
The current requieredDataType(SecurityAlert (Office 365 Security & Compliance)) is incorrect.
According to OfficeATP it should be SecurityAlert (OATP).
2020-11-19 10:49:15 +02:00
lreading
4c3f660c67
Fixing type in rule description for rule id 361dd1e3-1c11-491e-82a3-bb2e44ac36ba, Suspicious number of resource creation or deployment activities
2020-11-18 10:34:08 -05:00
laithhisham
9f0fa91b90
Feature/lahisham/migrate scheduled templates to new entity mapping ( #1319 )
...
* migrate scheduled templates to new entity mapping model
* add validation for missing new entity mappings
2020-11-17 17:27:25 +02:00
vaniMSTIC
64123da594
Update MaliciousWAFSessions.yaml
...
Shain's feedback
2020-11-17 12:30:43 +00:00
vaniMSTIC
52a8be5ab5
Update MaliciousWAFSessions.yaml
...
Changing severity
2020-11-16 16:57:22 +00:00
vaniMSTIC
80d79a7631
Create MaliciousWAFSessions.yaml
2020-11-16 13:56:15 +00:00
Shain
bf4d353dcf
Update Sign-in Burst from Multiple Locations.yaml
...
DetectionTemplate validation is failing with - YamlDotNet.Core.SemanticErrorException : (Line: 20, Col: 1, Idx: 451) - (Line: 20, Col: 3, Idx: 453): While scanning a literal block scalar, found extra spaces in first line.
Removing empty line from after query: | to see if it is that.
2020-11-12 21:56:24 -08:00
Shain
a05f842898
Update Sign-in Burst from Multiple Locations.yaml
...
Fixing first line in query to resolve yaml file validation issue, then will see if this resolves KQL validation issue, also adding in required timestamp entity mapping field.
2020-11-12 21:36:56 -08:00
Shain
46f9e2f48c
Merge branch 'master' into patch-11
2020-11-12 21:13:39 -08:00
aprakash13
ba853a88d0
Update BariumDomainIOC112020.yaml
2020-11-11 11:36:30 -08:00
aprakash13
5221b6f1e5
Rename BariumIPIOC.yaml to BariumIPIOC112020.yaml
2020-11-11 11:34:45 -08:00
aprakash13
8f016bb857
Update BariumIPIOC.yaml
2020-11-11 11:32:45 -08:00
aprakash13
2a371c7bba
Update and rename BariumDomainIOC.yaml to BariumDomainIOC112020.yaml
2020-11-11 11:31:59 -08:00
aprakash13
35b80277ec
Update BariumDomainIOC.yaml
2020-11-11 07:11:11 -08:00
Ajeet Prakash (MSTIC)
b741809153
Barium related IP/Domain IOC's
2020-11-11 06:35:16 -08:00
ehudk-msft
b693dabdcc
Update ExternalUserAddedRemovedInTeams.yaml
2020-11-08 08:23:52 +02:00
ehudk-msft
69b5c47f08
Update gte_6_FailedLogons_10m.yaml
2020-11-08 08:22:33 +02:00
Julien CLEMENT
6300ae37a3
Add more analytic rules templates
...
Signed-off-by: Julien CLEMENT <julien.clement@epita.fr>
2020-11-05 18:10:31 +01:00
ehudk-msft
0365540c39
fix CorrelateIPC_Unfamiliar-Atypical
2020-11-05 15:18:39 +02:00
Julien CLEMENT
39465cf6b7
Adding analytic rules templates
...
Signed-off-by: Julien CLEMENT <julien.clement@epita.fr>
2020-11-05 12:28:36 +01:00
ehudk-msft
e5f395228f
.
2020-11-05 12:46:59 +02:00
ehudk-msft
d3bea16104
several fixes to templates
2020-11-05 11:17:29 +02:00
ehudk-msft
3836a3fb5a
Update SeveralDenyActionsRegistered.yaml
2020-11-04 19:24:09 +02:00
ehudk-msft
579c773c2d
Update Sign-in Burst from Multiple Locations.yaml ( #1265 )
2020-11-04 11:45:23 +02:00
ehudk-msft
178c303985
Update Sign-in Burst from Multiple Locations.yaml
2020-11-04 11:36:51 +02:00
ehudk-msft
e0c7d4c305
Update STRONTIUMOct292020IOCs.yaml
2020-11-02 19:51:16 +02:00
Pete Bryan
6b0ba3849f
Merge pull request #1244 from ehudk-msft/patch-3
...
Update PasswordSpray.yaml
2020-11-02 07:43:27 -08:00
Pete Bryan
2f1f38dc6c
Merge pull request #1245 from ehudk-msft/patch-2
...
Update Threat Intel Matches to GitHub Audit Logs.yaml
2020-11-02 07:43:04 -08:00
Pete Bryan
92f8b2bcb5
Merge pull request #1246 from ehudk-msft/patch-4
...
Update MalwareAttachmentDelivered.yaml
2020-11-02 07:42:37 -08:00
Offir Shvartz
39d7eab071
Add Kql Validation to PR pipeline (detection only) ( #1223 )
...
Co-authored-by: Offir Shvartz <ofshvart@microsoft.com>
2020-11-01 09:15:35 +02:00
ehudk-msft
01ffba8c40
Update MalwareAttachmentDelivered.yaml
2020-10-31 01:15:30 +02:00
ehudk-msft
5977a7a149
Update PasswordSpray.yaml
2020-10-31 01:05:26 +02:00
ehudk-msft
12e65474a8
Update Threat Intel Matches to GitHub Audit Logs.yaml
2020-10-31 00:52:42 +02:00
ashwin-patil
29b09ea3f7
IOC queries from Russ
2020-10-29 23:06:48 +00:00
Pete Bryan
9f30c0189f
Mapping fix
2020-10-29 08:00:55 -07:00
Shain
6abefdd26a
Update SeveralDenyActionsRegistered.yaml
2020-10-27 10:50:44 -07:00
Shain
f8022cafe9
Merge pull request #1188 from KennethMLdk/master
...
New detection rule
2020-10-27 10:49:51 -07:00
Shain
402b6c1c6f
Revert "Add KQL syntax validation of detection queries as part of the PR pipeline"
2020-10-27 10:37:31 -07:00
Shain
7238f42ef3
Merge pull request #1039 from oshvartz/feature/addKqlValidations
...
Add KQL syntax validation of detection queries as part of the PR pipeline
2020-10-27 10:29:28 -07:00
Kenneth Meyer-Lassen
2cec7f6e8d
Sentinel firewall alert
2020-10-26 16:07:11 +01:00
KennethMLdk
5485e71621
Update SeveralDenyActionsRegistered.yaml
2020-10-26 15:10:51 +01:00
KennethMLdk
9deff80266
Update SeveralDenyActionsRegistered.yaml
2020-10-26 14:53:02 +01:00
Shain
e99aaf14ba
Merge pull request #1212 from Azure/pebryan-2020-10-13/PHOSPHORUS_IOCS
...
New queries
2020-10-23 09:28:49 -07:00
Pete Bryan
42ce85d763
fixes
2020-10-23 09:18:48 -07:00
Pete Bryan
88971f64f1
Fix overwrite of older PHOSPHORUS query
2020-10-23 09:13:53 -07:00
Offir Shvartz
035706a999
merge
2020-10-21 09:37:20 +03:00
Offir Shvartz
579d0ef63c
Merge branch 'master' into feature/addKqlValidations
2020-10-21 09:23:53 +03:00
Shain
ef04f5410f
Merge pull request #1178 from secops-and-hops/master
...
MFA push deny detection
2020-10-20 16:05:06 -07:00
Pete Bryan
9cae1c2fef
New queries
2020-10-20 13:25:50 -07:00
ehudk-msft
30feffc88b
Update AWSConsoleAADCorrelation.yaml
2020-10-20 13:27:55 +03:00
Kenneth Meyer-Lassen
1e9b458801
New detection rule
2020-10-19 16:14:51 +02:00
Anthony Coggins
12497e62f9
Update ExplicitMFADeny.yaml
2020-10-16 11:52:01 -04:00
Anthony Coggins
27e9ac1a39
Update ExplicitMFADeny.yaml
2020-10-14 14:49:09 -04:00
Anthony Coggins
cbe4a20665
Add files via upload
2020-10-14 11:00:48 -04:00
Shain
354e25e587
Merge pull request #1097 from swiftsolves-msft/nateswift-detect-ti
...
Create IPEntity_AzureNetworkAnalytics.yaml
2020-10-08 11:46:54 -07:00
Samik Roy
bd564f45c4
Merge branch 'master' into patch-1
2020-10-02 11:47:21 +05:30
Pete Bryan
46d6b0e676
Merge branch 'master' into pebryan/2020-9-4-LAQueryLogs
2020-09-25 09:42:15 -07:00
Shain
56998b4878
Merge pull request #1093 from Castaldio86/patch-3
...
Create CorrelateIPC_Unfamiliar-Atypical
2020-09-25 09:19:04 -07:00
Castaldio86
7c459c380f
Update CorrelateIPC_Unfamiliar-Atypical
2020-09-25 10:09:11 +02:00
petebryan
56e5126857
PR comments changes
2020-09-22 14:21:47 -07:00
swiftsolves-msft
54c5ba3c4a
Create IPEntity_AzureNetworkAnalytics.yaml
...
Rewrited the VMConnection TI Map PublicIP detection to work with NSG Flow Logs from Azure Traffic Analytics, set so that detection occurs on Allowed NSG Flow from TI PublicIP IOC match.
2020-09-22 10:17:38 -04:00
Shain
07df3421ae
Merge pull request #987 from Azure/itay/fixGithubDetections2
...
Fix | EntityMappings for github detections
2020-09-21 07:09:15 -07:00
Raz Marom
df2d6132a5
change directory: Detections/SigninLogs/GitHub Activities from Infrequent Country.yaml -> Detections/GitHub/GitHub Activities from Infrequent Country.yaml
2020-09-21 12:29:24 +03:00
Castaldio86
6638605831
Create CorrelateIPC_Unfamiliar-Atypical
2020-09-19 19:43:50 +02:00
Shain
a38e7896e8
Merge pull request #1013 from chicduong/acn_cd_oktaARfix
...
ACN_CD_OktaAnalyticsRulesFix
2020-09-19 08:20:57 -07:00
Shain
6a46db221f
Merge pull request #1022 from Azure/PulseConnectSecure_BugBash
...
Pulse Connect Secure VPN Bugbash Changes
2020-09-17 19:03:25 -07:00
Shain
ee7e10ef0e
Merge pull request #1090 from Azure/BugFix_FailedLogonAttemptswithin10m
...
Bug fix failed logon attemptswithin10m
2020-09-17 13:54:25 -07:00
Ajeet Prakash (MSTIC)
d548704278
Removing the double header that was copied by mistake
2020-09-17 13:45:14 -07:00
Ajeet Prakash (MSTIC)
328e3e9bf8
Added changes suggested by Shain in regards to Reason, adding IP address , workstation details etc.
2020-09-17 13:10:20 -07:00
Shain
dcb7f19334
Merge pull request #1068 from samikroy/patch-2
...
Create MultipleTeamsDeletes.yaml
2020-09-17 12:33:19 -07:00
Shain
f8a7984bcb
Merge pull request #1084 from thmcelro/Tom-Fix-LowVolume
...
Update Zscaler-LowVolumeDomainRequests.yaml
2020-09-17 12:30:45 -07:00
aprakash13
508e010633
Rename PulseConnectSecureVPN-PasswordSpray.yaml to PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
...
Made File name change based on change in name and description of this detection query. Details Below:
Changed the below :
name: PulseConnectSecure - Potential Password Spray Attempts
description: |
'This query identifies evidence of potential password spray activity against the Pulse Secure VPN server,
by looking for failures from multiple accounts, originating from the same host within a time window'
To
name: PulseConnectSecure - Large Number of Distinct Failed User Logins
description: |
'This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server'
2020-09-17 11:42:21 -07:00
aprakash13
62d305b6cd
Update PulseConnectSecureVPN-PasswordSpray.yaml
...
Updating the name and description of the query.
2020-09-17 11:30:07 -07:00
Samik Roy
372e1d928b
Update ExternalUserAddedRemovedInTeams.yaml
...
Query made to detect for an hour.
2020-09-17 23:46:21 +05:30
aprakash13
da7ad0bfdf
Update PulseConnectSecureVPN-PasswordSpray.yaml
...
Renaming the detection query for better quality to indicate that the detection is based of PulseConnectSecure logs.
2020-09-17 11:14:19 -07:00
aprakash13
44257b18f4
Update PulseConnectSecureVPN-BruteForce.yaml
...
Renaming the detection query for better clarity to indicate that it came from PulseConnectSecure Logs.
2020-09-17 11:11:54 -07:00
Samik Roy
fb1b2a0e1d
Update MultipleTeamsDeletes.yaml
2020-09-17 23:23:01 +05:30
Samik Roy
83cc167a4c
Update MultipleTeamsDeletes.yaml
2020-09-17 23:16:31 +05:30
Samik Roy
70f4306c0a
Update MultipleTeamsDeletes.yaml
...
Updated as per review comments.
2020-09-17 22:52:22 +05:30
Thomas McElroy
8e61bc1fec
Update Zscaler-LowVolumeDomainRequests.yaml
...
Fixes to in usage
2020-09-17 18:01:43 +01:00
Shain
50e550cdef
Update ExcessiveLogonFailures.yaml
2020-09-17 09:27:10 -07:00
Shain
7bea0a85d9
Update ExcessiveLogonFailures.yaml
...
Updating reason codes and fixing up some syntax.
2020-09-17 09:21:47 -07:00
Offir Shvartz
019d6331d8
Merge branch 'master' into feature/addKqlValidations
2020-09-17 13:36:35 +03:00
Ajeet Prakash (MSTIC)
65f34a025c
Adding explanation for Substatus code.
2020-09-17 02:33:35 -07:00
Ajeet Prakash (MSTIC)
7520d896e1
Modifying this to look for only failed logon attempst from Valid accounts.
2020-09-17 02:28:40 -07:00
petebryan
1c88e458ce
VIP user detection query
2020-09-16 13:33:17 -07:00
Thomas McElroy
3840d4e364
Update Zscaler-LowVolumeDomainRequests.yaml
2020-09-15 16:36:03 +01:00
Thomas McElroy
56a6d39d2c
Update Zscaler-LowVolumeDomainRequests.yaml
...
- Expanded supported script extensions and made them easier to customise.
- Added additional check for POST request or GET request with parameters to remove FP's where no data was submitted to the server. Use the max summarisation function as we only care about there being one set of activity where data is transferred.
- Added additional check to ensure that no referer was provided, this check defeats most FP's caused by wordpress's admin ajax
- Added basic defeat to remove email click tracking activity, while this may increase FN's it should siginificantly reduce FP's.
2020-09-15 11:45:40 +01:00
Raz Marom
b6fc10cfad
move back GitHub Activities from Infrequent Country.yaml: Hunting/ -> Detection. + remove required connectors
2020-09-13 09:49:58 +03:00
Samik Roy
4e13190b94
Update MultipleTeamsDeletes.yaml
2020-09-13 11:57:07 +05:30
Samik Roy
21441d4481
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:52:59 +05:30
Samik Roy
a688667b71
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:42:39 +05:30
Samik Roy
07cda89401
Update MultipleTeamsDeletes.yaml
2020-09-13 11:41:51 +05:30
Samik Roy
7a9540aa79
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:40:40 +05:30
Samik Roy
7295f552bd
Create MultipleTeamsDeletes.yaml
...
This detection flags the occurrences of deleting multiple teams within an hour.
This data is a part of Office 365 Connector in Azure Sentinel.
More details: https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 '
2020-09-13 11:09:33 +05:30
Samik Roy
80d6166a88
Create ExternalUserAddedRemovedInTeams.yaml
...
This detection flags the occurances of external user accounts that are added to a Team and then removed within
one hour.This data is a part of Office 365 Connector in Azure Sentinel.
More details: https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365
2020-09-13 10:21:38 +05:30
Nick Carr
8efaa288cc
Create StrontiumCredHarvesting.yaml
...
Detection to accompany STRONTIUM blog
2020-09-10 14:46:55 -04:00
Offir Shvartz
11ec709397
fix tests
2020-09-10 16:13:11 +03:00
Ashwin Patil
578920a191
corrected connnector for Keyvault
2020-09-09 11:25:14 -07:00
Shain
ae298a1c15
Merge pull request #1009 from pemontto/feature-taxii
...
Add TAXII data source to analytics and hunting queries
2020-09-04 09:02:10 -07:00
Shain
1611f44b15
Merge pull request #1019 from Azure/detections-08-27-2020
...
Detections and hunting queries- Aug 2020
2020-09-04 08:39:10 -07:00
Raz Marom
a599a97703
comment fix - move query from Detection -> Hunting
2020-09-02 11:33:16 +03:00
Raz Marom
734a3ee693
Fix | EntityMappings for github detections
2020-09-02 11:33:16 +03:00
Ashwin Patil
3bc8fb1d78
changes per PR Review
2020-09-01 12:53:33 -07:00
Shain
7df95c1112
Update AWSConsoleAADCorrelation.yaml
2020-09-01 09:54:22 -07:00
Shain
780590159a
Merge pull request #1023 from Azure/ProofPoint_Bugbash
...
Proofpoint Bug Bash changes
2020-08-31 23:38:36 -07:00
Shain
412d46b306
Update AnomalousIPUsageFollowedByTeamsAction.yaml
2020-08-31 23:25:46 -07:00
Ajeet Prakash (MSTIC)
283c306b05
Proofpoint Bug Bash changes
2020-08-31 07:51:25 -07:00
aprakash13
9e20e31b80
Update PulseConnectSecureVPN-PasswordSpray.yaml
2020-08-31 07:05:44 -07:00
Ajeet Prakash (MSTIC)
63b106bf18
Pulse Connect Secure VPN Bugbash Changes
2020-08-31 06:27:01 -07:00
omerhaimov
00ee8cf5f0
Update ExcessiveNXDOMAINDNSQueries.yaml ( #1021 )
...
* Update ExcessiveNXDOMAINDNSQueries.yaml
fix query
* Update ExcessiveNXDOMAINDNSQueries.yaml
2020-08-31 14:53:11 +03:00
Ashwin Patil
459283bd2d
fixing document link by removing en-us
2020-08-28 10:56:01 -07:00
Ashwin Patil
6df3878485
Renamed files and added missing detection fields
2020-08-28 10:35:55 -07:00
Ashwin Patil
bc56da3b7e
AzureActivity detection for expensive computes
2020-08-28 10:29:34 -07:00
chicduong
167a139603
revisions
2020-08-27 08:53:09 -07:00
chicduong
da04d78b11
corrections to syntax
2020-08-25 11:04:08 -07:00
pemontto
abbbc5d072
Add ThreatIntelligenceTaxii as data connector
2020-08-25 10:56:21 +01:00
pemontto
1d7fed2a42
Don't filter on arbitrary id
2020-08-25 10:56:09 +01:00
Andrew Bennett
024ad4baba
Fixed typo in analytical rule description
...
anamalous > anomalous
2020-08-24 05:56:06 +01:00
Shain
bd4b2c5947
Merge pull request #928 from Azure/pebryan-syslog-review
...
Fixes to Syslog Detections
2020-08-13 11:59:35 -07:00
Pete Bryan
88f90c6a3c
Update ssh_potentialBruteForce.yaml
2020-08-13 11:47:53 -07:00
Pete Bryan
a72c9c7c20
Update ssh_NewlyInternetExposed.yaml
2020-08-13 11:46:23 -07:00
Pete Bryan
e049b2d7a2
Merge branch 'master' into pebryan-dns-hunting-bugbash
2020-08-13 11:38:06 -07:00
petebryan
3bd4de4e1a
PR changes
2020-08-10 08:09:23 -07:00
petebryan
7f5e2f30c8
PR changes
2020-08-10 08:07:06 -07:00
petebryan
6f0ba31206
dns hunting fixes
2020-08-04 11:36:53 -07:00
petebryan
dcce76bd1a
Fixes
2020-08-04 09:53:30 -07:00
petebryan
f0a4604a88
Fixes
2020-07-31 15:49:23 -07:00
Shain Wray (MSTIC)
7d4726475d
Moving file and adding YAML extension
2020-07-30 10:57:44 -07:00
Shain
8fa1932ccc
Merge pull request #607 from jross1012/patch-5
...
Create SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts
2020-07-30 10:54:59 -07:00
Shain
bc13df96ac
Update SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts
...
removing localized string in reference URL
2020-07-30 10:52:05 -07:00
Shain
5e9dadba1e
Merge pull request #912 from Azure/Tactics-Typos
...
Tactics typos and other QA fixes
2020-07-28 14:26:58 -07:00
Shain
278a2d04dd
Merge pull request #716 from aadelnabil/patch-4
...
Update DistribPassCrackAttempt.yaml
2020-07-28 14:25:30 -07:00
Ashwin Patil
70b6f7d1aa
removed requiredConnectors for CustomConnector
2020-07-28 12:16:55 -07:00
Ashwin Patil
a58c73d1d6
Moved file to correct folder
2020-07-28 12:11:50 -07:00
Ashwin Patil
458074f1fd
Typo in InitialAccess
2020-07-28 12:10:28 -07:00
Ashwin Patil
4b32d962d9
Typo in Persistence
2020-07-28 12:01:49 -07:00
Shain
09fee48aea
Merge pull request #898 from Azure/QA-yaml-issues
...
yaml QA issues and Bugfix for detection
2020-07-24 12:05:22 -07:00
chicduong
b916801572
ACN_CD_InfobloxUpdate ( #879 )
...
* modified parser
* parser update
* revert changes
* updated Type to Log_Type
* feedback updates
2020-07-24 11:54:35 -07:00
Ashwin Patil
34a188a647
creating IPRegex variable to re-use
2020-07-24 11:05:19 -07:00
Ashwin Patil
1d7db2fe25
bugfix- Phosporous IOC query changes
2020-07-23 16:43:15 -07:00
Ashwin Patil
5177a432a7
BugFix- additional field covereage containing IP
2020-07-23 16:31:25 -07:00
Shain Wray (MSTIC)
2c3c5d4859
Fixing up bugs related to missing items in schema or output values missing from query
2020-07-23 11:45:41 -07:00
aadelnabil
c0ea20bcbd
Update DistribPassCrackAttempt.yaml
2020-07-23 11:01:35 +12:00
aadelnabil
91da9d41f2
Update DistribPassCrackAttempt.yaml
...
Update some typos
2020-07-23 11:00:54 +12:00
aadelnabil
0b4ec23397
Update DistribPassCrackAttempt.yaml
...
Updated the rule as discussed, removed the line that caused splitting the result into multiple records/events as it seemed confusing and provides false information about the number of failed logins per location
2020-07-23 10:59:51 +12:00
Preeti Krishna
ad8ec71c03
Update MalwareLinkClicked.yaml
2020-07-21 17:53:27 -07:00
Preeti Krishna
4e203b4fa7
Update MalwareAttachmentDelivered.yaml
2020-07-21 17:53:09 -07:00
Preeti Krishna
95cae6c9bb
Update LoginfromUsersfromDifferentCountrieswithin3hours.yaml
2020-07-21 17:51:44 -07:00
Shain
1b63f8cb77
Merge pull request #857 from Azure/AAD-Detections
...
detection for AAD Privileged groups
2020-07-17 16:44:39 -07:00
Shain
3e9fa14d2f
Merge pull request #862 from Azure/shainw-DevOpsFix
...
Fixing up some syntax and couple of bugs
2020-07-17 10:07:32 -07:00
Shain Wray (MSTIC)
d7e77b4a33
Upd Tactics/Techniques, combined hunting folder
2020-07-17 09:41:49 -07:00
Shain
9ad5ad6a29
Merge pull request #805 from thmcelro/Tom-Teams-Hunt
...
Create AnomalousIPUsageFollowedByTeamsAction.kql
2020-07-17 08:03:59 -07:00
Thomas McElroy
e92155c5e1
Fixing data sources
2020-07-17 15:57:36 +01:00
Thomas McElroy
d4003d13f2
Fixes basedon Shain's feedback
2020-07-17 10:29:54 +01:00
Ashwin Patil
bf7c07ee7c
changes based on PR review
2020-07-16 18:47:15 -07:00
Shain Wray (MSTIC)
7f6607ed7f
changing operation order
2020-07-16 08:39:56 -07:00
Shain Wray (MSTIC)
0049712af5
Fixing up some syntax and couple of bugs
2020-07-15 20:56:06 -07:00
Preeti Krishna
cb69092536
Update MalwareAttachmentDelivered.yaml
2020-07-15 10:20:40 -07:00
Preeti Krishna
76efd24515
Update MalwareLinkClicked.yaml
2020-07-15 10:19:20 -07:00
Ashwin Patil
cedcbc3704
removing locale from docs link
2020-07-14 19:33:10 -07:00
Ashwin Patil
c380f16aab
fixing typos
2020-07-14 19:08:37 -07:00
Ashwin Patil
deabc28a01
detection for AAD Privileged groups
2020-07-14 18:14:57 -07:00
Shain
56196c77ba
Merge pull request #818 from Azure/shainw-fixFwdDest
...
Update Office_MailForwarding.yaml
2020-07-13 17:35:25 -07:00
Shain
680d177874
Update Office_MailForwarding.yaml
...
Updating per suggestions
2020-07-13 16:14:08 -07:00
Ashwin Patil
3a170d5b77
updated description on tuning notes
2020-07-10 15:09:47 -07:00
Ashwin Patil
8ec6e4485a
timeframe and baseline threshold to reduce noise
2020-07-10 15:03:05 -07:00
Ashwin Patil
9a4285c9fb
remove Keydecrypt - too noisy - benign Azure IPs.
2020-07-10 13:57:17 -07:00
Tomáš Kubica
a005dc7940
adding Eset SMC parser ( #476 )
...
* adding Eset SMC parser
* Eset SMC data connector
* remove files no longer needed
* enhanced conn., added workbook and detections
Co-authored-by: Tomas Kubica <tokubica@microsoft.com>
2020-07-08 17:55:11 -07:00
Shain
5f81630a98
Merge pull request #821 from Azure/missingconnectorId-fixes
...
Missing connector id, datatypes and yaml file extension fixes
2020-07-08 11:55:26 -07:00