c7393474be
Merge branch 'Azure:master' into patch-1
2021-09-17 16:38:48 +03:00
e01fb34062
Merge pull request #3057 from Azure/MSHTML_Vuln_DetectionQuery
...
MSHTML Vuln related to CVE-2021-40444
2021-09-17 06:37:50 -07:00
fb388c2149
Fixed make-series and updated version to 1.0.1
...
Fixed make-series and updated version to 1.0.1
2021-09-17 16:35:54 +03:00
831a0b4c62
Update MSHTMLVuln.yaml
...
Adding example of what the regex will match on; in the description section for better understanding.
2021-09-17 00:47:12 -07:00
255c71d23e
Update OMIGODVulnerableMachines.yaml
...
Updating Version number.
2021-09-16 23:53:51 -07:00
07dc5b33f5
Adding Tags
2021-09-16 23:50:20 -07:00
fab11126cc
MSHTML Vuln related to CVE-2021-40444
2021-09-16 23:22:38 -07:00
051427d1fe
Merge pull request #3054 from Azure/OMI_Vuln_Query
...
Queries related to OMIGOD Vuln.
2021-09-16 23:10:25 -07:00
745ea3cbcb
Update OMIGODVulnerableMachines.yaml
2021-09-16 18:13:37 -07:00
e63978da40
Update OMIGODVulnerableMachines.yaml
...
Removing the locale en-us from the reference Link
2021-09-16 18:02:44 -07:00
6c8a55d7cd
Update OMIGODVulnerableMachines.yaml
2021-09-16 17:55:04 -07:00
6dd05ce67a
Update OMIGODVulnerableMachines.yaml
...
Removing the connectorId and adding link to the continuous export feature of Azure Defender
2021-09-16 17:47:16 -07:00
6797002777
Queries related to OMIGOD Vuln.
2021-09-16 17:30:48 -07:00
53f6d2bfed
Merge pull request #2900 from d1mav0/patch-2
...
Update SuccessThenFail_DiffIP_SameUserandApp.yaml
2021-09-16 16:39:30 -07:00
eceb2637e2
Merge pull request #2962 from Lodewyk-Git/patch-7
...
Updated to include TargetResources
2021-09-16 16:36:05 -07:00
0b73981aa5
IP and Domain TI detections
...
Using optimized DNS Parsers
2021-09-14 17:55:17 +03:00
a9c520b766
Fixed make-series TimeGenerated
...
Fixed make-series TimeGenerated
2021-09-05 19:58:09 +03:00
54cfbda30f
Adding optimized detections ( #2932 )
...
* dns detection
* Changing time pre-filter to include =
Merging despite kql validation fail - the test is missing support for normalization functions
2021-09-05 09:11:59 +03:00
b8077ad472
Update UseraddedtoPrivilgedGroups.yaml
2021-09-03 11:20:36 +02:00
069f2407de
Updated to include TargetResources
...
Add check and mapping for user who gained privileged access
2021-09-03 11:09:40 +02:00
1be379108d
Update Manganese_VPN-IOCs.yaml
2021-08-31 18:40:45 +03:00
c1e8897a5b
Update Manganese_VPN-IOCs.yaml
2021-08-31 18:38:51 +03:00
146b6f09d2
Merge pull request #2911 from Cyb3rWard0g/feature/new-adhealth-service
...
added new queries to identify Azure Hybrid health AD FS service activity
2021-08-26 12:00:27 -07:00
36bea23fe4
Merge pull request #2898 from Cyb3rWard0g/feature/adhealth-monitoring-reg-access
...
detecting access to the ADhealth monitoring agent registry key
2021-08-26 12:00:15 -07:00
1d557118ab
added url back to rule description
2021-08-26 14:16:58 -04:00
a88e15d66c
removed links from PR
2021-08-26 10:33:58 -04:00
a29b92731c
removed wrong version and timeframe variable
2021-08-26 03:53:24 -04:00
3b24267009
removed wrong version and timeframe variables
2021-08-26 03:50:40 -04:00
f04d22a53b
added new queries to identify Azure Hybrid health AD FS service activity
2021-08-26 03:35:08 -04:00
e6401cf426
Update SuccessThenFail_DiffIP_SameUserandApp.yaml
...
* Added FailedIPAddress IP entity, which is useful in investigations
* Changed entity mapping style to current version
* Removed old style entity mapping from KQL
2021-08-25 12:21:29 +02:00
fa074081e2
updated template version
2021-08-25 03:11:35 -04:00
ec47d5c34c
updated version
2021-08-25 03:10:23 -04:00
0a62f4ae90
detecting access to the ADhealth monitoring agent registry key
2021-08-25 03:04:57 -04:00
f6e6efc994
detecting access to ADHealth Service Agent registry keys
2021-08-25 02:42:48 -04:00
43167cb1ed
Merge pull request #2803 from Azure/pebryan/2021-8-9_Watchlists
...
Watchlist template queries
2021-08-19 13:13:18 -07:00
4b19102df3
Removing Case sensitivity related to MemberName. The difference between CN= and cn= cause result disparities.
2021-08-16 10:56:50 -07:00
4a2f12a177
Update imSigninAttemptsByIPviaDisabledAccounts.yaml
2021-08-16 13:33:45 +03:00
7190f44877
Update imSigninAttemptsByIPviaDisabledAccounts.yaml
2021-08-16 13:33:38 +03:00
d61f9daf4c
Merge pull request #2844 from Azure/validateVersionChange
...
Create checkThatTemplatesVersionWasChanged.sh
2021-08-16 10:04:29 +03:00
0a674b211b
Update imAuthBruteForce.yaml
2021-08-16 09:58:20 +03:00
9e217ea7f3
Update imAuthBruteForce.yaml
2021-08-16 09:55:53 +03:00
f31b04bb96
Update imAuthBruteForce.yaml
2021-08-16 09:38:30 +03:00
0080224e87
Update imAuthBruteForce.yaml
2021-08-16 09:36:02 +03:00
11ed55cfa0
Update imFileESolarWindsSunburstSupernova.yaml
2021-08-16 09:07:03 +03:00
0b74f30fe9
Update imFileESolarWindsSunburstSupernova.yaml
2021-08-16 09:03:41 +03:00
16fe6108dd
Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.
...
TechniqueId TechniqueName New
T1483 Domain Generation Algorithms T1568
T1064 Scripting T1059
T1043 Commonly Used Port T1071
T1065 Uncommonly Used Port T1571
T1100 Web Shell T1505
T1089 Disabling Security Tools T1562
T1035 Service Execution ( Removed totally T1035 without replacement)
T1109 Component Firmware T1542
T10178 T1078
2021-08-12 10:58:18 -07:00
b5ae30c6fe
Added Azure Resource Entities
2021-08-09 14:19:58 -07:00
6ee571a406
Updated queries
2021-08-09 11:33:32 -07:00
140d3226fd
Update ProxyShellPwn2Own.yaml
2021-08-09 17:05:34 +01:00
83461f1fc3
Fixing entity names
2021-08-09 16:07:29 +01:00
Sandy Zeng [MVP]
Shain
aprakash13
Ajeet Prakash (MSTIC)
Yaron
Lodewyk-Git
Ofer Shezaf
Pete Bryan
Roberto Rodriguez
d1mav0
Amit Bergman
Pete Bryan
Thomas McElroy