2aa1ca0fd7
updated make_set limit to 100
2020-12-03 16:23:19 -08:00
963748ac5d
adding limit to make_set to scale performance
2020-12-03 16:12:05 -08:00
457fe22a27
description and threshold to reduce FPs
2020-12-03 16:05:05 -08:00
f886a062e0
Fixing typo
2020-12-03 09:54:18 -08:00
ec8eb1a990
Merge branch 'master' into AFAD-connector
2020-12-03 10:35:04 +01:00
e9ed3c3c19
fix GUIDs per build failures
2020-12-02 20:05:18 -08:00
c51c4b4e2d
fix build failures
2020-12-02 19:02:48 -08:00
4e40b106db
doclink and unusued KQL fixes
2020-12-02 18:52:36 -08:00
0d8ab7fca3
fix for Keyvault
2020-12-02 18:46:40 -08:00
a7b00b15a8
timeseries fixes
2020-12-02 18:11:35 -08:00
08a6e3cca5
file rename, entity mappings
2020-12-02 18:11:10 -08:00
90492f830e
added new detection for timeseries for Office
2020-12-02 09:34:50 -08:00
315d3bfd14
including new entity mapping information
2020-12-02 08:19:12 -08:00
7f267d4132
Merge pull request #1341 from Azure/shainw-removeKeyDecrypt
...
Update KeyVaultSensitiveOperations.yaml
2020-12-01 18:23:54 -08:00
b33bdbd8b3
Update NewAppOrServicePrincipalCredential.yaml
...
Moving the filtering a bit higher in the query to improve perf, plus changing the name of InitiatingUser to InitiatingUserOrApp so it is clear this can come from 2 different values.
2020-12-01 16:01:00 -08:00
00feaec7fc
Update NewAppOrServicePrincipalCredential.yaml
...
Filtered additional non-user events by simplifying the final InitiatingUser filter
2020-12-01 01:35:16 -05:00
d948763a88
Update and rename NewKeyIdentifierAddedToOAuthApp.yaml to NewAppOrServicePrincipalCredential.yaml
...
Minor changes:
* casted extracted variables tostring()s
* expanded logic to include all three (3) event types for both Applications and Service Principals - with an added filter
2020-11-30 22:42:31 -05:00
b742141cc2
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
Improving documentation & comments
2020-11-30 21:41:15 -05:00
88544d4d42
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
cleaning up & re-ordering output slightly
2020-11-30 16:44:03 -05:00
6d8843766f
Update NewKeyIdentifierAddedToOAuthApp.yaml
...
Removed locale in documentation reference
2020-11-30 16:31:56 -05:00
cb0dff88c4
Initial proposal of keyIdentifier detection events
...
TODO:
* re-pack and display helpful investigative fields TargetId.ServicePrincipalNames, ServicePrincipalName, ActorId.ServicePrincipalNames, DisplayName
* explore time series anomalies, new IP address activity
* join other helpful investigative data based on correlationId
2020-11-30 16:23:43 -05:00
98f426fcce
Merge pull request #1342 from Azure/shainw-AddDomainNameEntity
...
Update MultiVendor-PossibleDGAContacts.yaml
2020-11-25 07:26:06 -08:00
30d61e126d
Merge pull request #1318 from vaniMSTIC/vaasawa-mstic
...
Create MaliciousWAFSessions.yaml
2020-11-23 07:48:17 -08:00
d47acc4e96
Update MaliciousWAFSessions.yaml
...
Shain's feedback #2
2020-11-23 11:09:51 +00:00
3a4a479b1c
Expansions strongify ( #1329 )
...
* Expansions strongify
Mapping stringer identifiers
* Fixing these up a bit to simplify and output additional entity mappings
* Couple other tweaks
Co-authored-by: Shain Wray (MSTIC) <shainw@microsoft.com>
2020-11-22 09:07:55 +02:00
eed743d86a
Update MaliciousWAFSessions.yaml
...
- Change timeStamp_t to TimeGenerated
- Send email to Shain regarding creation of customer schema template
2020-11-20 10:34:08 +00:00
d13f1b6e61
Update MultiVendor-PossibleDGAContacts.yaml
2020-11-19 12:52:50 -08:00
d74233ae34
Update KeyVaultSensitiveOperations.yaml
...
Removing KeyDecrypt, this replaces only this portion from PR #1262 which we are closing as other changes are not required.
2020-11-19 12:47:33 -08:00
3eefe252d5
Merge pull request #1331 from lreading/bugfix/typo-361dd1e3-1c11-491e-82a3-bb2e44ac36ba
...
Fixing typo in description of "Suspicious number of resource creation or deployment activities"
2020-11-19 09:59:51 -08:00
fa85e7f722
Remove inconsistent BOMs from detections
2020-11-19 16:57:39 +00:00
1beae7fec4
Update KnownPHOSPHORUSDomainsIP-October2020.yaml
...
The current requieredDataType(SecurityAlert (Office 365 Security & Compliance)) is incorrect.
According to OfficeATP it should be SecurityAlert (OATP).
2020-11-19 10:49:15 +02:00
4c3f660c67
Fixing type in rule description for rule id 361dd1e3-1c11-491e-82a3-bb2e44ac36ba, Suspicious number of resource creation or deployment activities
2020-11-18 10:34:08 -05:00
9f0fa91b90
Feature/lahisham/migrate scheduled templates to new entity mapping ( #1319 )
...
* migrate scheduled templates to new entity mapping model
* add validation for missing new entity mappings
2020-11-17 17:27:25 +02:00
64123da594
Update MaliciousWAFSessions.yaml
...
Shain's feedback
2020-11-17 12:30:43 +00:00
52a8be5ab5
Update MaliciousWAFSessions.yaml
...
Changing severity
2020-11-16 16:57:22 +00:00
80d79a7631
Create MaliciousWAFSessions.yaml
2020-11-16 13:56:15 +00:00
bf4d353dcf
Update Sign-in Burst from Multiple Locations.yaml
...
DetectionTemplate validation is failing with - YamlDotNet.Core.SemanticErrorException : (Line: 20, Col: 1, Idx: 451) - (Line: 20, Col: 3, Idx: 453): While scanning a literal block scalar, found extra spaces in first line.
Removing empty line from after query: | to see if it is that.
2020-11-12 21:56:24 -08:00
a05f842898
Update Sign-in Burst from Multiple Locations.yaml
...
Fixing first line in query to resolve yaml file validation issue, then will see if this resolves KQL validation issue, also adding in required timestamp entity mapping field.
2020-11-12 21:36:56 -08:00
46f9e2f48c
Merge branch 'master' into patch-11
2020-11-12 21:13:39 -08:00
ba853a88d0
Update BariumDomainIOC112020.yaml
2020-11-11 11:36:30 -08:00
5221b6f1e5
Rename BariumIPIOC.yaml to BariumIPIOC112020.yaml
2020-11-11 11:34:45 -08:00
8f016bb857
Update BariumIPIOC.yaml
2020-11-11 11:32:45 -08:00
2a371c7bba
Update and rename BariumDomainIOC.yaml to BariumDomainIOC112020.yaml
2020-11-11 11:31:59 -08:00
35b80277ec
Update BariumDomainIOC.yaml
2020-11-11 07:11:11 -08:00
b741809153
Barium related IP/Domain IOC's
2020-11-11 06:35:16 -08:00
b693dabdcc
Update ExternalUserAddedRemovedInTeams.yaml
2020-11-08 08:23:52 +02:00
69b5c47f08
Update gte_6_FailedLogons_10m.yaml
2020-11-08 08:22:33 +02:00
6300ae37a3
Add more analytic rules templates
...
Signed-off-by: Julien CLEMENT <julien.clement@epita.fr>
2020-11-05 18:10:31 +01:00
0365540c39
fix CorrelateIPC_Unfamiliar-Atypical
2020-11-05 15:18:39 +02:00
39465cf6b7
Adding analytic rules templates
...
Signed-off-by: Julien CLEMENT <julien.clement@epita.fr>
2020-11-05 12:28:36 +01:00
e5f395228f
.
2020-11-05 12:46:59 +02:00
d3bea16104
several fixes to templates
2020-11-05 11:17:29 +02:00
3836a3fb5a
Update SeveralDenyActionsRegistered.yaml
2020-11-04 19:24:09 +02:00
579c773c2d
Update Sign-in Burst from Multiple Locations.yaml ( #1265 )
2020-11-04 11:45:23 +02:00
178c303985
Update Sign-in Burst from Multiple Locations.yaml
2020-11-04 11:36:51 +02:00
e0c7d4c305
Update STRONTIUMOct292020IOCs.yaml
2020-11-02 19:51:16 +02:00
6b0ba3849f
Merge pull request #1244 from ehudk-msft/patch-3
...
Update PasswordSpray.yaml
2020-11-02 07:43:27 -08:00
2f1f38dc6c
Merge pull request #1245 from ehudk-msft/patch-2
...
Update Threat Intel Matches to GitHub Audit Logs.yaml
2020-11-02 07:43:04 -08:00
92f8b2bcb5
Merge pull request #1246 from ehudk-msft/patch-4
...
Update MalwareAttachmentDelivered.yaml
2020-11-02 07:42:37 -08:00
39d7eab071
Add Kql Validation to PR pipeline (detection only) ( #1223 )
...
Co-authored-by: Offir Shvartz <ofshvart@microsoft.com>
2020-11-01 09:15:35 +02:00
01ffba8c40
Update MalwareAttachmentDelivered.yaml
2020-10-31 01:15:30 +02:00
5977a7a149
Update PasswordSpray.yaml
2020-10-31 01:05:26 +02:00
12e65474a8
Update Threat Intel Matches to GitHub Audit Logs.yaml
2020-10-31 00:52:42 +02:00
29b09ea3f7
IOC queries from Russ
2020-10-29 23:06:48 +00:00
9f30c0189f
Mapping fix
2020-10-29 08:00:55 -07:00
6abefdd26a
Update SeveralDenyActionsRegistered.yaml
2020-10-27 10:50:44 -07:00
f8022cafe9
Merge pull request #1188 from KennethMLdk/master
...
New detection rule
2020-10-27 10:49:51 -07:00
402b6c1c6f
Revert "Add KQL syntax validation of detection queries as part of the PR pipeline"
2020-10-27 10:37:31 -07:00
7238f42ef3
Merge pull request #1039 from oshvartz/feature/addKqlValidations
...
Add KQL syntax validation of detection queries as part of the PR pipeline
2020-10-27 10:29:28 -07:00
2cec7f6e8d
Sentinel firewall alert
2020-10-26 16:07:11 +01:00
5485e71621
Update SeveralDenyActionsRegistered.yaml
2020-10-26 15:10:51 +01:00
9deff80266
Update SeveralDenyActionsRegistered.yaml
2020-10-26 14:53:02 +01:00
e99aaf14ba
Merge pull request #1212 from Azure/pebryan-2020-10-13/PHOSPHORUS_IOCS
...
New queries
2020-10-23 09:28:49 -07:00
42ce85d763
fixes
2020-10-23 09:18:48 -07:00
88971f64f1
Fix overwrite of older PHOSPHORUS query
2020-10-23 09:13:53 -07:00
035706a999
merge
2020-10-21 09:37:20 +03:00
579d0ef63c
Merge branch 'master' into feature/addKqlValidations
2020-10-21 09:23:53 +03:00
ef04f5410f
Merge pull request #1178 from secops-and-hops/master
...
MFA push deny detection
2020-10-20 16:05:06 -07:00
9cae1c2fef
New queries
2020-10-20 13:25:50 -07:00
30feffc88b
Update AWSConsoleAADCorrelation.yaml
2020-10-20 13:27:55 +03:00
1e9b458801
New detection rule
2020-10-19 16:14:51 +02:00
12497e62f9
Update ExplicitMFADeny.yaml
2020-10-16 11:52:01 -04:00
27e9ac1a39
Update ExplicitMFADeny.yaml
2020-10-14 14:49:09 -04:00
cbe4a20665
Add files via upload
2020-10-14 11:00:48 -04:00
354e25e587
Merge pull request #1097 from swiftsolves-msft/nateswift-detect-ti
...
Create IPEntity_AzureNetworkAnalytics.yaml
2020-10-08 11:46:54 -07:00
bd564f45c4
Merge branch 'master' into patch-1
2020-10-02 11:47:21 +05:30
46d6b0e676
Merge branch 'master' into pebryan/2020-9-4-LAQueryLogs
2020-09-25 09:42:15 -07:00
56998b4878
Merge pull request #1093 from Castaldio86/patch-3
...
Create CorrelateIPC_Unfamiliar-Atypical
2020-09-25 09:19:04 -07:00
7c459c380f
Update CorrelateIPC_Unfamiliar-Atypical
2020-09-25 10:09:11 +02:00
56e5126857
PR comments changes
2020-09-22 14:21:47 -07:00
54c5ba3c4a
Create IPEntity_AzureNetworkAnalytics.yaml
...
Rewrited the VMConnection TI Map PublicIP detection to work with NSG Flow Logs from Azure Traffic Analytics, set so that detection occurs on Allowed NSG Flow from TI PublicIP IOC match.
2020-09-22 10:17:38 -04:00
07df3421ae
Merge pull request #987 from Azure/itay/fixGithubDetections2
...
Fix | EntityMappings for github detections
2020-09-21 07:09:15 -07:00
df2d6132a5
change directory: Detections/SigninLogs/GitHub Activities from Infrequent Country.yaml -> Detections/GitHub/GitHub Activities from Infrequent Country.yaml
2020-09-21 12:29:24 +03:00
6638605831
Create CorrelateIPC_Unfamiliar-Atypical
2020-09-19 19:43:50 +02:00
a38e7896e8
Merge pull request #1013 from chicduong/acn_cd_oktaARfix
...
ACN_CD_OktaAnalyticsRulesFix
2020-09-19 08:20:57 -07:00
6a46db221f
Merge pull request #1022 from Azure/PulseConnectSecure_BugBash
...
Pulse Connect Secure VPN Bugbash Changes
2020-09-17 19:03:25 -07:00
ee7e10ef0e
Merge pull request #1090 from Azure/BugFix_FailedLogonAttemptswithin10m
...
Bug fix failed logon attemptswithin10m
2020-09-17 13:54:25 -07:00
d548704278
Removing the double header that was copied by mistake
2020-09-17 13:45:14 -07:00
328e3e9bf8
Added changes suggested by Shain in regards to Reason, adding IP address , workstation details etc.
2020-09-17 13:10:20 -07:00
dcb7f19334
Merge pull request #1068 from samikroy/patch-2
...
Create MultipleTeamsDeletes.yaml
2020-09-17 12:33:19 -07:00
f8a7984bcb
Merge pull request #1084 from thmcelro/Tom-Fix-LowVolume
...
Update Zscaler-LowVolumeDomainRequests.yaml
2020-09-17 12:30:45 -07:00
508e010633
Rename PulseConnectSecureVPN-PasswordSpray.yaml to PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
...
Made File name change based on change in name and description of this detection query. Details Below:
Changed the below :
name: PulseConnectSecure - Potential Password Spray Attempts
description: |
'This query identifies evidence of potential password spray activity against the Pulse Secure VPN server,
by looking for failures from multiple accounts, originating from the same host within a time window'
To
name: PulseConnectSecure - Large Number of Distinct Failed User Logins
description: |
'This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server'
2020-09-17 11:42:21 -07:00
62d305b6cd
Update PulseConnectSecureVPN-PasswordSpray.yaml
...
Updating the name and description of the query.
2020-09-17 11:30:07 -07:00
372e1d928b
Update ExternalUserAddedRemovedInTeams.yaml
...
Query made to detect for an hour.
2020-09-17 23:46:21 +05:30
da7ad0bfdf
Update PulseConnectSecureVPN-PasswordSpray.yaml
...
Renaming the detection query for better quality to indicate that the detection is based of PulseConnectSecure logs.
2020-09-17 11:14:19 -07:00
44257b18f4
Update PulseConnectSecureVPN-BruteForce.yaml
...
Renaming the detection query for better clarity to indicate that it came from PulseConnectSecure Logs.
2020-09-17 11:11:54 -07:00
fb1b2a0e1d
Update MultipleTeamsDeletes.yaml
2020-09-17 23:23:01 +05:30
83cc167a4c
Update MultipleTeamsDeletes.yaml
2020-09-17 23:16:31 +05:30
70f4306c0a
Update MultipleTeamsDeletes.yaml
...
Updated as per review comments.
2020-09-17 22:52:22 +05:30
8e61bc1fec
Update Zscaler-LowVolumeDomainRequests.yaml
...
Fixes to in usage
2020-09-17 18:01:43 +01:00
50e550cdef
Update ExcessiveLogonFailures.yaml
2020-09-17 09:27:10 -07:00
7bea0a85d9
Update ExcessiveLogonFailures.yaml
...
Updating reason codes and fixing up some syntax.
2020-09-17 09:21:47 -07:00
019d6331d8
Merge branch 'master' into feature/addKqlValidations
2020-09-17 13:36:35 +03:00
65f34a025c
Adding explanation for Substatus code.
2020-09-17 02:33:35 -07:00
7520d896e1
Modifying this to look for only failed logon attempst from Valid accounts.
2020-09-17 02:28:40 -07:00
1c88e458ce
VIP user detection query
2020-09-16 13:33:17 -07:00
3840d4e364
Update Zscaler-LowVolumeDomainRequests.yaml
2020-09-15 16:36:03 +01:00
56a6d39d2c
Update Zscaler-LowVolumeDomainRequests.yaml
...
- Expanded supported script extensions and made them easier to customise.
- Added additional check for POST request or GET request with parameters to remove FP's where no data was submitted to the server. Use the max summarisation function as we only care about there being one set of activity where data is transferred.
- Added additional check to ensure that no referer was provided, this check defeats most FP's caused by wordpress's admin ajax
- Added basic defeat to remove email click tracking activity, while this may increase FN's it should siginificantly reduce FP's.
2020-09-15 11:45:40 +01:00
b6fc10cfad
move back GitHub Activities from Infrequent Country.yaml: Hunting/ -> Detection. + remove required connectors
2020-09-13 09:49:58 +03:00
4e13190b94
Update MultipleTeamsDeletes.yaml
2020-09-13 11:57:07 +05:30
21441d4481
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:52:59 +05:30
a688667b71
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:42:39 +05:30
07cda89401
Update MultipleTeamsDeletes.yaml
2020-09-13 11:41:51 +05:30
7a9540aa79
Update ExternalUserAddedRemovedInTeams.yaml
2020-09-13 11:40:40 +05:30
7295f552bd
Create MultipleTeamsDeletes.yaml
...
This detection flags the occurrences of deleting multiple teams within an hour.
This data is a part of Office 365 Connector in Azure Sentinel.
More details: https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 '
2020-09-13 11:09:33 +05:30
80d6166a88
Create ExternalUserAddedRemovedInTeams.yaml
...
This detection flags the occurances of external user accounts that are added to a Team and then removed within
one hour.This data is a part of Office 365 Connector in Azure Sentinel.
More details: https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365
2020-09-13 10:21:38 +05:30
8efaa288cc
Create StrontiumCredHarvesting.yaml
...
Detection to accompany STRONTIUM blog
2020-09-10 14:46:55 -04:00
11ec709397
fix tests
2020-09-10 16:13:11 +03:00
578920a191
corrected connnector for Keyvault
2020-09-09 11:25:14 -07:00
ae298a1c15
Merge pull request #1009 from pemontto/feature-taxii
...
Add TAXII data source to analytics and hunting queries
2020-09-04 09:02:10 -07:00
1611f44b15
Merge pull request #1019 from Azure/detections-08-27-2020
...
Detections and hunting queries- Aug 2020
2020-09-04 08:39:10 -07:00
a599a97703
comment fix - move query from Detection -> Hunting
2020-09-02 11:33:16 +03:00
734a3ee693
Fix | EntityMappings for github detections
2020-09-02 11:33:16 +03:00
3bc8fb1d78
changes per PR Review
2020-09-01 12:53:33 -07:00
7df95c1112
Update AWSConsoleAADCorrelation.yaml
2020-09-01 09:54:22 -07:00
780590159a
Merge pull request #1023 from Azure/ProofPoint_Bugbash
...
Proofpoint Bug Bash changes
2020-08-31 23:38:36 -07:00
412d46b306
Update AnomalousIPUsageFollowedByTeamsAction.yaml
2020-08-31 23:25:46 -07:00
283c306b05
Proofpoint Bug Bash changes
2020-08-31 07:51:25 -07:00
9e20e31b80
Update PulseConnectSecureVPN-PasswordSpray.yaml
2020-08-31 07:05:44 -07:00
63b106bf18
Pulse Connect Secure VPN Bugbash Changes
2020-08-31 06:27:01 -07:00
00ee8cf5f0
Update ExcessiveNXDOMAINDNSQueries.yaml ( #1021 )
...
* Update ExcessiveNXDOMAINDNSQueries.yaml
fix query
* Update ExcessiveNXDOMAINDNSQueries.yaml
2020-08-31 14:53:11 +03:00
459283bd2d
fixing document link by removing en-us
2020-08-28 10:56:01 -07:00
6df3878485
Renamed files and added missing detection fields
2020-08-28 10:35:55 -07:00
bc56da3b7e
AzureActivity detection for expensive computes
2020-08-28 10:29:34 -07:00
167a139603
revisions
2020-08-27 08:53:09 -07:00
da04d78b11
corrections to syntax
2020-08-25 11:04:08 -07:00
abbbc5d072
Add ThreatIntelligenceTaxii as data connector
2020-08-25 10:56:21 +01:00
1d7fed2a42
Don't filter on arbitrary id
2020-08-25 10:56:09 +01:00
024ad4baba
Fixed typo in analytical rule description
...
anamalous > anomalous
2020-08-24 05:56:06 +01:00
bd4b2c5947
Merge pull request #928 from Azure/pebryan-syslog-review
...
Fixes to Syslog Detections
2020-08-13 11:59:35 -07:00
88f90c6a3c
Update ssh_potentialBruteForce.yaml
2020-08-13 11:47:53 -07:00
a72c9c7c20
Update ssh_NewlyInternetExposed.yaml
2020-08-13 11:46:23 -07:00
e049b2d7a2
Merge branch 'master' into pebryan-dns-hunting-bugbash
2020-08-13 11:38:06 -07:00
3bd4de4e1a
PR changes
2020-08-10 08:09:23 -07:00
7f5e2f30c8
PR changes
2020-08-10 08:07:06 -07:00
6f0ba31206
dns hunting fixes
2020-08-04 11:36:53 -07:00
dcce76bd1a
Fixes
2020-08-04 09:53:30 -07:00
f0a4604a88
Fixes
2020-07-31 15:49:23 -07:00
7d4726475d
Moving file and adding YAML extension
2020-07-30 10:57:44 -07:00
8fa1932ccc
Merge pull request #607 from jross1012/patch-5
...
Create SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts
2020-07-30 10:54:59 -07:00
bc13df96ac
Update SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts
...
removing localized string in reference URL
2020-07-30 10:52:05 -07:00
5e9dadba1e
Merge pull request #912 from Azure/Tactics-Typos
...
Tactics typos and other QA fixes
2020-07-28 14:26:58 -07:00
278a2d04dd
Merge pull request #716 from aadelnabil/patch-4
...
Update DistribPassCrackAttempt.yaml
2020-07-28 14:25:30 -07:00
70b6f7d1aa
removed requiredConnectors for CustomConnector
2020-07-28 12:16:55 -07:00
a58c73d1d6
Moved file to correct folder
2020-07-28 12:11:50 -07:00
458074f1fd
Typo in InitialAccess
2020-07-28 12:10:28 -07:00
4b32d962d9
Typo in Persistence
2020-07-28 12:01:49 -07:00
09fee48aea
Merge pull request #898 from Azure/QA-yaml-issues
...
yaml QA issues and Bugfix for detection
2020-07-24 12:05:22 -07:00
b916801572
ACN_CD_InfobloxUpdate ( #879 )
...
* modified parser
* parser update
* revert changes
* updated Type to Log_Type
* feedback updates
2020-07-24 11:54:35 -07:00
34a188a647
creating IPRegex variable to re-use
2020-07-24 11:05:19 -07:00
1d7db2fe25
bugfix- Phosporous IOC query changes
2020-07-23 16:43:15 -07:00
5177a432a7
BugFix- additional field covereage containing IP
2020-07-23 16:31:25 -07:00
2c3c5d4859
Fixing up bugs related to missing items in schema or output values missing from query
2020-07-23 11:45:41 -07:00
c0ea20bcbd
Update DistribPassCrackAttempt.yaml
2020-07-23 11:01:35 +12:00
91da9d41f2
Update DistribPassCrackAttempt.yaml
...
Update some typos
2020-07-23 11:00:54 +12:00
0b4ec23397
Update DistribPassCrackAttempt.yaml
...
Updated the rule as discussed, removed the line that caused splitting the result into multiple records/events as it seemed confusing and provides false information about the number of failed logins per location
2020-07-23 10:59:51 +12:00
ad8ec71c03
Update MalwareLinkClicked.yaml
2020-07-21 17:53:27 -07:00
4e203b4fa7
Update MalwareAttachmentDelivered.yaml
2020-07-21 17:53:09 -07:00
95cae6c9bb
Update LoginfromUsersfromDifferentCountrieswithin3hours.yaml
2020-07-21 17:51:44 -07:00
1b63f8cb77
Merge pull request #857 from Azure/AAD-Detections
...
detection for AAD Privileged groups
2020-07-17 16:44:39 -07:00
3e9fa14d2f
Merge pull request #862 from Azure/shainw-DevOpsFix
...
Fixing up some syntax and couple of bugs
2020-07-17 10:07:32 -07:00
d7e77b4a33
Upd Tactics/Techniques, combined hunting folder
2020-07-17 09:41:49 -07:00
9ad5ad6a29
Merge pull request #805 from thmcelro/Tom-Teams-Hunt
...
Create AnomalousIPUsageFollowedByTeamsAction.kql
2020-07-17 08:03:59 -07:00
e92155c5e1
Fixing data sources
2020-07-17 15:57:36 +01:00
d4003d13f2
Fixes basedon Shain's feedback
2020-07-17 10:29:54 +01:00
bf7c07ee7c
changes based on PR review
2020-07-16 18:47:15 -07:00
7f6607ed7f
changing operation order
2020-07-16 08:39:56 -07:00
0049712af5
Fixing up some syntax and couple of bugs
2020-07-15 20:56:06 -07:00
cb69092536
Update MalwareAttachmentDelivered.yaml
2020-07-15 10:20:40 -07:00
76efd24515
Update MalwareLinkClicked.yaml
2020-07-15 10:19:20 -07:00
cedcbc3704
removing locale from docs link
2020-07-14 19:33:10 -07:00
c380f16aab
fixing typos
2020-07-14 19:08:37 -07:00
deabc28a01
detection for AAD Privileged groups
2020-07-14 18:14:57 -07:00
56196c77ba
Merge pull request #818 from Azure/shainw-fixFwdDest
...
Update Office_MailForwarding.yaml
2020-07-13 17:35:25 -07:00
680d177874
Update Office_MailForwarding.yaml
...
Updating per suggestions
2020-07-13 16:14:08 -07:00
3a170d5b77
updated description on tuning notes
2020-07-10 15:09:47 -07:00
8ec6e4485a
timeframe and baseline threshold to reduce noise
2020-07-10 15:03:05 -07:00
9a4285c9fb
remove Keydecrypt - too noisy - benign Azure IPs.
2020-07-10 13:57:17 -07:00
a005dc7940
adding Eset SMC parser ( #476 )
...
* adding Eset SMC parser
* Eset SMC data connector
* remove files no longer needed
* enhanced conn., added workbook and detections
Co-authored-by: Tomas Kubica <tokubica@microsoft.com>
2020-07-08 17:55:11 -07:00
5f81630a98
Merge pull request #821 from Azure/missingconnectorId-fixes
...
Missing connector id, datatypes and yaml file extension fixes
2020-07-08 11:55:26 -07:00
Ashwin Patil
Shain Wray (MSTIC)
Julien CLEMENT
Shain
Nick Carr
vaniMSTIC
Yaron
pemontto
necoh
lreading
laithhisham
aprakash13
Ajeet Prakash (MSTIC)
ehudk-msft
Pete Bryan
Offir Shvartz
ashwin-patil
Kenneth Meyer-Lassen
KennethMLdk
Offir Shvartz
Anthony Coggins
Samik Roy
Castaldio86
petebryan
swiftsolves-msft
Raz Marom
Thomas McElroy
omerhaimov
chicduong
Andrew Bennett
aadelnabil
Preeti Krishna
Tomáš Kubica