8d31998151
Update RareProcessWithCmdLine.yaml
2020-10-16 11:43:59 -07:00
271cd65ece
changes per PR Review
2020-09-01 12:56:22 -07:00
d672c52514
typo fixes for query
2020-08-28 10:31:00 -07:00
bc56da3b7e
AzureActivity detection for expensive computes
2020-08-28 10:29:34 -07:00
012f7c68d9
Merge pull request #905 from Azure/Expansions_Jul20
...
These queries do not work as expansion. Converted to hunting
2020-07-28 14:08:38 -07:00
df44093119
These queries do not work as expansion. Converted to hunting
2020-07-26 20:17:45 +03:00
4e84c68ad6
Reverting...
2020-07-26 14:21:15 +03:00
d366e195bb
Queries cannot serve as expansion. Converted to Hunting
2020-07-26 14:01:26 +03:00
b68b776fab
Merge pull request #593 from mcpjanmarek/patch-1
...
query to detect account lockouts
2020-07-17 16:39:59 -07:00
7daa78d277
Update ADAccountLockouts.yaml
...
Fixing tactics
2020-07-17 16:38:18 -07:00
7ef1d409df
Update ADAccountLockouts.yaml
...
Updating as original author has not completed and we want to have this contribution included.
2020-07-16 16:49:07 -07:00
c4cb1aed4e
Merge pull request #727 from zanecop/zanco/ado
...
Azure DevOps hunting and analytics - ZanCo
2020-06-29 14:00:14 -07:00
e013a6a368
Add a comment about DnsAdmins and DnsUpdatePorxy
...
Those two groups are not well-known SIDs. Although it might be those two in many deployments, their SIDs might actually depends on other factors. I suggest to just add comments. Maybe we could use variables instead but since it might very well be the right SIDs in many deployment, a comment might be enough. Another approach would be to use their names as it has the same name in all locales, suggestions?
I also updated the public documentation to reflect this: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-dnsadmins .
2020-06-20 10:31:34 -04:00
d62c0a0dda
updated to yaml files
2020-06-04 18:22:23 -07:00
d8321c70a5
Documentation links should not include locale - fix and add validations ( #678 )
...
* Documentation links should not include locale - fix and add validations
2020-05-13 15:07:12 +03:00
92badcb01b
additional fields
2020-04-16 15:15:06 +02:00
5e99618a65
query to detect account lockouts
2020-04-14 21:27:10 +02:00
7a0bb5aa62
correcting query text to fix yaml parsing
2020-02-11 13:02:51 -08:00
3e87fafa80
Merge pull request #452 from duzlov/master
...
Add '$' to regex expressions
2020-01-21 08:05:41 -08:00
4b514bf860
Add '$' to regex expressions
2020-01-21 17:55:20 +03:00
0e2829f1db
Update UserAccountAddedToPrivlegeGroup.yaml
...
Add '$' to regex expression. The query returns invalid extra results without it.
2020-01-20 14:38:56 +03:00
68bae86af1
Fixes based on feedback
2019-12-18 10:32:59 -08:00
a36c7f42fc
Updating Process entropy and adding in rare process path
2019-12-16 08:10:37 -08:00
795e2528f2
Fixing issue with decimal values in entropy calc
2019-12-10 10:51:36 -08:00
38f8f7e89d
fix for partner reported issue
2019-10-11 19:02:10 +01:00
10c35e3e22
missed a couple timestamps
2019-09-04 08:35:55 -07:00
0b92a4bf6a
Updating entities and putting in YAML format
2019-09-03 15:10:13 -07:00
0cf49f9157
Update UserCreatedByUnauthorizedUser.txt
2019-08-22 13:21:52 -07:00
bd0152920b
Update UserAdd_RemToGroupByUnauthorizedUser.txt
2019-08-22 13:21:31 -07:00
1cb99ebc61
Update UserAccountCreatedDeleted.txt
2019-08-22 13:21:02 -07:00
981e47e943
Update UserAccountAddedToPrivlegeGroup.txt
2019-08-22 13:20:37 -07:00
33216ef161
Update ProcessEntropy.txt
2019-08-22 13:20:07 -07:00
78e0c8e954
Update masquerading_files.txt
2019-08-22 13:19:31 -07:00
9964cb9b33
Update GroupAddedToPrivlegeGroup.txt
2019-08-22 13:19:04 -07:00
c24c05566f
Update enumeration_user_and_group.txt
2019-08-22 13:18:18 -07:00
8d63506dec
Updated max time
2019-08-22 10:54:06 -07:00
8d9d833705
updated for readability
2019-08-22 10:42:39 -07:00
b26325b3e4
Update Least_Common_Process_With_Depth.txt
2019-08-22 10:41:50 -07:00
10bf80c10d
updated typo
2019-08-22 10:41:23 -07:00
d794ea5f61
Updated typo
2019-08-22 10:40:49 -07:00
0b66e953c6
Updated tactic
2019-08-22 10:38:38 -07:00
a356159790
Updated tactic for defense evasion
2019-08-22 10:37:53 -07:00
6e40fee8f1
Update uncommon_processes.txt
2019-08-21 16:37:29 -07:00
896f9fd401
Update powershell_newencodedscipts.txt
2019-08-21 16:36:23 -07:00
4b87db393c
Update powershell_downloads.txt
2019-08-21 16:35:43 -07:00
b72ebaa33e
Update new_processes.txt
2019-08-21 16:34:44 -07:00
5ce56b0c2e
Update masquerading_files.txt
2019-08-21 16:34:18 -07:00
8ec8857d59
Update UserCreatedByUnauthorizedUser.txt
2019-08-21 16:32:35 -07:00
1b7789867d
Update UserAdd_RemToGroupByUnauthorizedUser.txt
2019-08-21 16:31:49 -07:00
f0c667941f
Update UserAccountCreatedDeleted.txt
2019-08-21 16:29:47 -07:00
7279e2f376
Update UserAccountAddedToPrivlegeGroup.txt
2019-08-21 16:29:06 -07:00
b2584b9dfc
Update RareProcbyServiceAccount.txt
2019-08-21 16:28:13 -07:00
d0ddf23ec4
Update HostsWithNewLogons.txt
2019-08-21 16:24:07 -07:00
cc8c27399c
Added Account and Host Entities
2019-08-21 16:22:19 -07:00
9f1c374f68
Update CustomUserList_FailedLogons.txt
2019-08-16 18:17:55 -07:00
fae68602ce
Update powershell_downloads.txt
2019-08-16 17:49:34 -07:00
22dbe86843
Update persistence_create_account.txt
2019-08-16 17:48:11 -07:00
b79e191dd2
Update masquerading_files.txt
2019-08-16 17:45:34 -07:00
9c26349667
Update enumeration_user_and_group.txt
2019-08-16 17:44:17 -07:00
5dd70b748b
Update VIPAccountFailedLogons.txt
2019-08-16 17:42:04 -07:00
783bc2eff9
Update UserCreatedByUnauthorizedUser.txt
2019-08-16 17:40:24 -07:00
395f257432
Update UserAdd_RemToGroupByUnauthorizedUser.txt
2019-08-16 17:39:32 -07:00
d9ba1d669b
Update UserAccountCreatedDeleted.txt
2019-08-16 17:38:04 -07:00
2f97bff917
Update UserAccountAddedToPrivlegeGroup.txt
2019-08-16 17:36:26 -07:00
5129fd46a5
Update ProcessEntropy.txt
2019-08-16 17:33:38 -07:00
7befd2ff04
Update HostsWithNewLogons.txt
2019-08-16 17:28:50 -07:00
fb55b429d5
Update CustomUserList_FailedLogons.txt
2019-08-16 17:23:20 -07:00
62e98a7440
Update uncommon_processes.txt
2019-08-16 16:29:48 -07:00
23c9e07496
PR fixes
2019-05-24 13:10:00 -07:00
56c11bde26
PR fixes 2
2019-05-24 11:01:40 -07:00
64344416ca
PR fixes
2019-05-24 10:47:21 -07:00
25614356b6
Some Least Common Process Create hunting queries
2019-05-23 11:07:54 -07:00
575636a0aa
Merge pull request #158 from Azure/Entropy-Process
...
Adding in process entropy query
2019-05-21 07:14:04 -07:00
4f28c29821
couple other join fixes and removed some trailing comments
2019-05-21 07:05:23 -07:00
d51f4366cc
Fixing join order for efficiency
2019-05-21 06:59:45 -07:00
eba87ba0a9
Fixing type on TimeGenerated
2019-05-13 08:26:36 -07:00
4ce01a545a
Merge pull request #154 from Azure/Ajeet_Sigma_ServiceAccount
...
SIGMA queries as well as Rare Process by service account
2019-05-10 12:10:54 -07:00
e42d345177
coulpe non-code typos
2019-05-10 11:25:56 -07:00
29e44c4b99
fixing vars a bit
2019-05-10 11:23:53 -07:00
fd20676d96
Adding in process entropy query
2019-05-10 09:13:45 -07:00
eed6409d74
Updated with changes suggested by Shain
2019-05-09 11:14:57 -07:00
82dcd64b9d
SIGMA queries as well as Rare Process by service account
2019-05-03 14:16:30 -07:00
9649cf659f
Merge pull request #149 from Azure/FixingVIPAccountHunting
...
Doing join with list, it was left out accidentally
2019-05-03 08:23:04 -07:00
f1b7e0a81c
Fix host with new logons query ( #151 )
...
* Fix host with new logons query
* No need to commit DeployedQueries.json
2019-05-01 10:47:39 +03:00
df141eda88
Doing join with list, it was left out accidentally
2019-04-29 11:30:08 -07:00
2fa84e08cc
Fix hunting queries
2019-04-28 14:34:46 +03:00
897bc22bbe
Merge pull request #138 from Azure/deploy_hunting_queries
...
Deploy hunting queries
2019-04-17 10:33:20 -07:00
7d5bc352b3
Revert changes
2019-04-07 14:36:10 +03:00
3fee97a885
Updateing list of WellKnownGroupSID to include DNSAdmins and DnsUpdat… ( #139 )
...
* Updateing list of WellKnownGroupSID to include DNSAdmins and DnsUpdateProxy groups
* Including WellKnownGroupSID check to allow for inclusion of accounts that may not be in the list that is manually included
2019-04-03 16:06:42 +01:00
76a86a3604
Deploy hunting queries
2019-04-03 13:26:35 +03:00
fe7f03b28d
Update new_process hunting query ( #114 )
2019-03-19 03:07:19 -07:00
5b77dc31ae
Changed technique to tactic in hunting queries
2019-03-13 10:00:40 -07:00
3a46c80a59
Updating Trigger info and other minor changes to formatting of txt in comment section ( #120 )
2019-03-06 13:48:56 +00:00
2e974aa9f8
Updating a detection with correct properties and adding in Greg's custom user list failed logons into hunting
2019-03-05 08:33:27 -08:00
4d031108bc
Initial commit of changes for Feb 27
2019-02-27 13:30:19 -08:00
fde110c7da
Bringing in alerts requested by customer
2019-02-21 22:22:33 -08:00
814bfb42e5
update template and cscript summary
2019-02-15 11:48:13 -08:00
470d0e7dcb
Updated new_processes to new template, moved to SecurityEvent.
2019-02-15 10:54:40 -08:00
d660c55bc0
Detections from cc gregco ( #48 )
...
* adding in alerts and hunting queries from CC
* Adjusted per recommendations from Tim.
2019-02-14 17:14:13 +00:00
fc62e911b9
fix up 'Data source' and 'Data Source' to be 'DataSource' and ensure log analytics table is prepended with # character for easier searching. ( #35 )
2019-02-07 16:53:46 +00:00
juliango2100
Ashwin Patil
Shain
Yaron Fruchtmann
Pierre Audonnet
##[set-env name=HappeningStatus]"Its
Igal
Jan Marek
Dmitry Uzlov
Shain Wray (MSTIC)
Tim Burrell (MSTIC)
Zane Coppedge
Ajeet Prakash (MSTIC)
Igal Shapira
Petitohead
Julian Gonzalez
timbMSFT