juliango2100
7279e2f376
Update UserAccountAddedToPrivlegeGroup.txt
2019-08-21 16:29:06 -07:00
juliango2100
b2584b9dfc
Update RareProcbyServiceAccount.txt
2019-08-21 16:28:13 -07:00
juliango2100
d0ddf23ec4
Update HostsWithNewLogons.txt
2019-08-21 16:24:07 -07:00
juliango2100
cc8c27399c
Added Account and Host Entities
2019-08-21 16:22:19 -07:00
juliango2100
9f1c374f68
Update CustomUserList_FailedLogons.txt
2019-08-16 18:17:55 -07:00
juliango2100
fae68602ce
Update powershell_downloads.txt
2019-08-16 17:49:34 -07:00
juliango2100
22dbe86843
Update persistence_create_account.txt
2019-08-16 17:48:11 -07:00
juliango2100
b79e191dd2
Update masquerading_files.txt
2019-08-16 17:45:34 -07:00
juliango2100
9c26349667
Update enumeration_user_and_group.txt
2019-08-16 17:44:17 -07:00
juliango2100
5dd70b748b
Update VIPAccountFailedLogons.txt
2019-08-16 17:42:04 -07:00
juliango2100
783bc2eff9
Update UserCreatedByUnauthorizedUser.txt
2019-08-16 17:40:24 -07:00
juliango2100
395f257432
Update UserAdd_RemToGroupByUnauthorizedUser.txt
2019-08-16 17:39:32 -07:00
juliango2100
d9ba1d669b
Update UserAccountCreatedDeleted.txt
2019-08-16 17:38:04 -07:00
juliango2100
2f97bff917
Update UserAccountAddedToPrivlegeGroup.txt
2019-08-16 17:36:26 -07:00
juliango2100
5129fd46a5
Update ProcessEntropy.txt
2019-08-16 17:33:38 -07:00
juliango2100
7befd2ff04
Update HostsWithNewLogons.txt
2019-08-16 17:28:50 -07:00
juliango2100
fb55b429d5
Update CustomUserList_FailedLogons.txt
2019-08-16 17:23:20 -07:00
juliango2100
62e98a7440
Update uncommon_processes.txt
2019-08-16 16:29:48 -07:00
Zane Coppedge
23c9e07496
PR fixes
2019-05-24 13:10:00 -07:00
Zane Coppedge
56c11bde26
PR fixes 2
2019-05-24 11:01:40 -07:00
Zane Coppedge
64344416ca
PR fixes
2019-05-24 10:47:21 -07:00
Zane Coppedge
25614356b6
Some Least Common Process Create hunting queries
2019-05-23 11:07:54 -07:00
shainw
575636a0aa
Merge pull request #158 from Azure/Entropy-Process
...
Adding in process entropy query
2019-05-21 07:14:04 -07:00
Shain Wray (MSTIC)
4f28c29821
couple other join fixes and removed some trailing comments
2019-05-21 07:05:23 -07:00
Shain Wray (MSTIC)
d51f4366cc
Fixing join order for efficiency
2019-05-21 06:59:45 -07:00
Shain Wray (MSTIC)
eba87ba0a9
Fixing type on TimeGenerated
2019-05-13 08:26:36 -07:00
shainw
4ce01a545a
Merge pull request #154 from Azure/Ajeet_Sigma_ServiceAccount
...
SIGMA queries as well as Rare Process by service account
2019-05-10 12:10:54 -07:00
Shain Wray (MSTIC)
e42d345177
coulpe non-code typos
2019-05-10 11:25:56 -07:00
Shain Wray (MSTIC)
29e44c4b99
fixing vars a bit
2019-05-10 11:23:53 -07:00
Shain Wray (MSTIC)
fd20676d96
Adding in process entropy query
2019-05-10 09:13:45 -07:00
Ajeet Prakash (MSTIC)
eed6409d74
Updated with changes suggested by Shain
2019-05-09 11:14:57 -07:00
Ajeet Prakash (MSTIC)
82dcd64b9d
SIGMA queries as well as Rare Process by service account
2019-05-03 14:16:30 -07:00
shainw
9649cf659f
Merge pull request #149 from Azure/FixingVIPAccountHunting
...
Doing join with list, it was left out accidentally
2019-05-03 08:23:04 -07:00
Igal
f1b7e0a81c
Fix host with new logons query ( #151 )
...
* Fix host with new logons query
* No need to commit DeployedQueries.json
2019-05-01 10:47:39 +03:00
Shain Wray (MSTIC)
df141eda88
Doing join with list, it was left out accidentally
2019-04-29 11:30:08 -07:00
Igal Shapira
2fa84e08cc
Fix hunting queries
2019-04-28 14:34:46 +03:00
juliango2100
897bc22bbe
Merge pull request #138 from Azure/deploy_hunting_queries
...
Deploy hunting queries
2019-04-17 10:33:20 -07:00
Igal Shapira
7d5bc352b3
Revert changes
2019-04-07 14:36:10 +03:00
shainw
3fee97a885
Updateing list of WellKnownGroupSID to include DNSAdmins and DnsUpdat… ( #139 )
...
* Updateing list of WellKnownGroupSID to include DNSAdmins and DnsUpdateProxy groups
* Including WellKnownGroupSID check to allow for inclusion of accounts that may not be in the list that is manually included
2019-04-03 16:06:42 +01:00
Igal Shapira
76a86a3604
Deploy hunting queries
2019-04-03 13:26:35 +03:00
Petitohead
fe7f03b28d
Update new_process hunting query ( #114 )
2019-03-19 03:07:19 -07:00
Julian Gonzalez
5b77dc31ae
Changed technique to tactic in hunting queries
2019-03-13 10:00:40 -07:00
shainw
3a46c80a59
Updating Trigger info and other minor changes to formatting of txt in comment section ( #120 )
2019-03-06 13:48:56 +00:00
Shain Wray (MSTIC)
2e974aa9f8
Updating a detection with correct properties and adding in Greg's custom user list failed logons into hunting
2019-03-05 08:33:27 -08:00
Shain Wray (MSTIC)
4d031108bc
Initial commit of changes for Feb 27
2019-02-27 13:30:19 -08:00
Shain Wray (MSTIC)
fde110c7da
Bringing in alerts requested by customer
2019-02-21 22:22:33 -08:00
Julian Gonzalez
814bfb42e5
update template and cscript summary
2019-02-15 11:48:13 -08:00
Julian Gonzalez
470d0e7dcb
Updated new_processes to new template, moved to SecurityEvent.
2019-02-15 10:54:40 -08:00
shainw
d660c55bc0
Detections from cc gregco ( #48 )
...
* adding in alerts and hunting queries from CC
* Adjusted per recommendations from Tim.
2019-02-14 17:14:13 +00:00
timbMSFT
fc62e911b9
fix up 'Data source' and 'Data Source' to be 'DataSource' and ensure log analytics table is prepended with # character for easier searching. ( #35 )
2019-02-07 16:53:46 +00:00
juliango2100
f128fab8a2
Update powershell_downloads.txt
...
Updated the id field
2019-02-06 14:23:53 -08:00
timbMSFT
c1b36d540f
Adding new IDs for recently added queries ( #32 )
2019-02-06 12:35:02 +00:00
timbMSFT
a892bddaa4
Update community github with IDs from internal working repo. ( #31 )
2019-02-06 11:01:10 +00:00
timbMSFT
1600f06a3f
Huntingbugbash ( #28 )
...
* AzureActivity - add some default timestamp clauses.
OfficeActivity - sharepoint downloads by UA - make join leftanti
* remove aggregated.txt
* filter out records where client IP is blank
* enumeration - summarize results better.
* fix up query - summarize better
* this is an exploration query - requires process name as input?
moved to that folder
* make regex less restrictive
2019-02-04 16:14:00 +00:00
shainw
58a9bb4710
Expl hunt upd shainw jan30 ( #17 )
...
* Adding UnauthUser query
* Adding several new expansion and a couple hunting queries, changed a couple names of files
* missed changing the variable string on these
2019-01-31 11:57:57 +00:00
timbMSFT
bb0b761ba2
Hunting24thjan ( #14 )
...
* Andrew's traffic to knownbadIPs query.
powershell empire - customer scenario request.
* Initial malformed useragent query - as built-in detection
* more bad UA criteria
* limit result set
* move powershell empire query to detections folder
2019-01-25 13:49:43 +00:00
timbMSFT
38faeb1656
folder restructure for hunting queries, exploration queries, and built-in alerts aka detections. ( #12 )
2019-01-24 10:30:15 +00:00