Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
11 237 коммитов 3 464 Ветки 0 Теги 12 GiB
Граф коммитов

92 Коммитов

Автор SHA1 Сообщение Дата
Pete Bryan 0bbc82f5d3 Added queries and detections for cross tenant activity: 
Detection:
- Run being used for a unique PowerShell command
- Run being used by a user with UEBA alerts
- Portal signins from another Azure tenant
Hunting:
- Run used from another Azure IP
- Run activty linked with MDE data
- Dormant user acount being activated
- Dormant user account being activated (with UEBA)
- Dormant SP being activated
 2021-10-24 23:24:41 -07:00
Shain c495855532
Update Creating_Anomalous_Number_Of_Resources.yaml 
Fixing line 17 - OperationNameValue match include syntax is wrong.
 2021-09-29 10:47:13 -07:00
Ashwin Patil fbd4f8cf3b changes per PR review by Shain 2021-09-23 14:13:17 -07:00
Ashwin Patil ff8ea8c4ed
Merge branch 'master' into signinlogsquery-fix 2021-09-17 18:30:32 -07:00
Ashwin Patil 3917ba33cb updating logic to new field OperationNameValue 2021-09-17 17:56:44 -07:00
Ashwin Patil 27c31c8fdb changed to new field-OperatioNameValue 2021-09-17 13:31:30 -07:00
Ashwin Patil bee886b81b changed field to new-OperationNameValue 2021-09-17 13:27:20 -07:00
Ashwin Patil 849de7cf50 updating logic to new fieldOperationNameValue 2021-09-17 13:01:10 -07:00
Shain Wray (MSTIC) 54b4792b1c Updating queries with common timestamp param to support future features. 2021-09-10 10:10:13 -07:00
Shain 302e8a77bc
Update Granting_Permissions_to_Account.yaml 
Removing results that don't done
 2021-08-30 08:32:58 -07:00
Ashwin Patil db93109a5e reverting back to OperationName from OperationNameValue 2021-08-17 13:34:06 -07:00
Ashwin Patil cef413d84e reverting query to last known good state 2021-08-17 12:52:52 -07:00
Ashwin Patil 197b070056 reverting query to last known good state 2021-08-17 12:50:55 -07:00
Ashwin Patil edbf0522d6 reverting last change n PR - missing line 2021-08-17 12:31:16 -07:00
Ashwin Patil 72b668dc61 fixing the query - overwritten in last PR 2021-08-17 11:50:47 -07:00
Ajeet Prakash (MSTIC) 16fe6108dd Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 
TechniqueId      TechniqueName                                                    New
T1483                 Domain Generation Algorithms                         T1568
T1064                 Scripting                                                                  T1059
T1043                 Commonly Used Port                                            T1071
T1065                 Uncommonly Used Port                                       T1571
T1100                 Web Shell                                                                T1505
T1089                 Disabling Security Tools                                       T1562
T1035                 Service Execution                                                  ( Removed totally T1035 without replacement)
T1109                 Component Firmware                                          T1542
T10178                                                                                                T1078
 2021-08-12 10:58:18 -07:00
Pete Bryan 9c31372366 fixes 2021-08-06 14:18:45 -07:00
Pete Bryan e030abc8e7 Fixes 2021-08-06 14:12:37 -07:00
Pete Bryan 8ce810c175 ASimProcess to LAQUeryLogs 2021-07-30 16:06:59 -07:00
Shain cefb70efa0
Update Common_Deployed_Resources.yaml 
removing hanging comment
 2021-07-13 13:12:23 -07:00
Shain d646cdbae9
Update Common_Deployed_Resources.yaml 
This was rolled back, need to change back to something closer to May 3rd PR.  This is updated to use new Value fields.
 2021-07-13 11:00:30 -07:00
Shahar Aviv 1bfc7a1c43
Merge branch 'master' into shaharBranch2 2021-05-13 11:10:21 +03:00
t-shaviv b5c26dca2f fixed PortOpened 2021-05-12 14:11:31 +03:00
t-shaviv 7b795eb981 fixed Granting_Permissions 2021-05-12 14:10:58 +03:00
t-shaviv 9edeeef5a1 fixed Creating_Anomalus 2021-05-12 14:10:26 +03:00
t-shaviv 297f606ee1 fixed Common_Deployes 2021-05-12 14:09:50 +03:00
t-shaviv 058224969c fixed AzureVirtualNetworkSubnets 2021-05-12 14:09:20 +03:00
t-shaviv 7e8b2483bc fixed AzureSentinelConnectors_Admin 2021-05-12 14:08:38 +03:00
t-shaviv d87febd45b fixed anomalous 2021-05-12 14:07:55 +03:00
t-shaviv 7ae3296072 fixed AnalyticsRulesAdministrativeOperations 2021-05-12 12:33:59 +03:00
Shain 28720e4122
Update Common_Deployed_Resources.yaml 2021-05-03 08:27:34 -07:00
Pete Bryan 7ce022612a Hunting query timeframe updates 2021-04-12 14:15:43 -07:00
Shain Wray (MSTIC) 7e233ecc7c adding in timegenerated and using has 2021-03-21 19:53:36 -07:00
Shain Wray (MSTIC) bffde1fcb0 adding in entities and fixing up some queries. 2021-03-21 12:11:46 -07:00
Thomas McElroy 7c31deb32e Ignite 2021 Queries 
- Creating AdditionalFilesUploadedByActor.yaml Detection: When an Azure Defender alert for a known-bad file hash triggers, the detection will collate other files uploaded by that same IP address to detect other risky files.
- Created AzureAdministrationFromVPS.yaml Hunting Query: Finds instances where Azure Admin Activity takes place from a known VPS provider.
- Created AzureStorageFileCreateAccessDelete.yaml Hunting Query: Finds instances where a file is created in Azure Storage, accessed by a single user, and then deleted.
- Created AzureStorageFileCreatedQuicklyDeleted.yaml Hunting Query: Finds instances where a file is created and then deleted within a given threshold (by default 5min).
- Created AzureStorageFileOnEndpoint.yaml Hunting Query: Finds instances where a file in Azure Storage is present on an Endpoint system based on data from Microsoft 365 Defender Advanced Hunting data.
- Created AzureStorageMassDeletion.yaml Hunting Query:  Finds instances where a mass-deletion event occurs from a single IP address. Configurable thresholds.
- Created AzureStorageUploadFromVPS.yaml Hunting Query:  Finds instances where a VPS provider IP is used to upload files to Azure Storage.
- Created AzureStorageUploadLinkAccount.yaml Hunting Query:  Links user account to Azure storage upload action if the upload actions takes place through Azure Portal.
 2021-02-22 14:18:07 +00:00
Pete Bryan 45d6059d37 solarigate queries 2020-12-17 14:10:48 +00:00
Ashwin Patil f85c19e438 adding yaml extension 2020-07-23 16:19:48 -07:00
Ashwin Patil 61dde1a424 moving file from parent to under AzureActivity 2020-07-23 16:17:00 -07:00
YaronFruchtmann fb31e9ba14
Merge pull request #872 from hesaad/patch-8 
Create AzureSentinelWorkbooks_AdministrativeOperation
 2020-07-21 14:56:30 +03:00
YaronFruchtmann 3a670c39dd
Merge pull request #871 from hesaad/patch-7 
Create AzureVirtualNetworkSubnets_AdministrativeOperationset
 2020-07-21 14:55:32 +03:00
YaronFruchtmann d55a4dc41e
Merge pull request #870 from hesaad/patch-6 
Create AzureNSG_AdministrativeOperations
 2020-07-21 14:54:22 +03:00
hesaad a1bd06d26d
Update AnalyticsRulesAdministrativeOperations 2020-07-21 15:49:50 +04:00
hesaad 92ddd86ef7
Update AzureNSG_AdministrativeOperations 2020-07-21 15:47:35 +04:00
hesaad 2e837f82dd
Update AzureVirtualNetworkSubnets_AdministrativeOperationset 2020-07-21 15:47:04 +04:00
hesaad cd42881398
Update AzureSentinelWorkbooks_AdministrativeOperation 2020-07-21 15:46:33 +04:00
hesaad 0a1a6da392
Update AzureVirtualNetworkSubnets_AdministrativeOperationset 2020-07-21 11:34:44 +04:00
hesaad ccf25464a1
Update AzureSentinelWorkbooks_AdministrativeOperation 2020-07-21 11:31:30 +04:00
hesaad b5713b6d4c
Update AzureNSG_AdministrativeOperations 2020-07-21 11:29:28 +04:00
hesaad 6e3ab4d38d
Update AzureNSG_AdministrativeOperations 2020-07-21 11:28:22 +04:00
hesaad e0b56c12d1
Update AnalyticsRulesAdministrativeOperations 2020-07-21 11:24:32 +04:00