aprakash13
a02403e37d
Merge pull request #5165 from BlackB0lt/patch-6
...
New Hunting - Spawning MSDT process
2022-06-13 18:15:09 -07:00
aprakash13
7fcd6623ad
Merge pull request #5004 from BlackB0lt/patch-4
...
New Campaign - BPFDoor
2022-06-13 17:58:03 -07:00
Justin C
02dc3a90be
Update CVE-2022-26134-Confluence.yaml
2022-06-10 15:48:38 -07:00
Justin C
1df1e4f31e
Create CVE-2022-26134-Confluence.yaml
2022-06-10 15:25:09 -07:00
aprakash13
35364def51
Merge pull request #4883 from BlackB0lt/patch-2
...
New Detection - KrbRelayUp Tool
2022-06-10 13:13:12 -07:00
aprakash13
c71e501f69
Merge pull request #5009 from BlackB0lt/patch-5
...
New Hunting - VMWare-LPE-2022-22960 Exploit
2022-06-10 13:06:17 -07:00
aprakash13
476f923f40
Merge pull request #5273 from ep3p/patch-6
...
Fix mistake in CrossServiceADXQueries.yaml
2022-06-10 12:58:40 -07:00
aprakash13
cf04dcf6a9
Merge pull request #4780 from bracherp/patch-2
...
Create Endpoint Linux Agent Health Status Report
2022-06-10 01:36:22 -07:00
aprakash13
c2fa1a8c11
Merge pull request #4915 from bracherp/patch-3
...
Create Endpoint Linux AV Signature and Platform Versions
2022-06-10 01:34:11 -07:00
Jose Sebastián Canós
98e8e0846f
Update CrossServiceADXQueries.yaml
2022-06-10 09:55:36 +02:00
Phillip Bracher
56cdb31e2b
Update Endpoint Linux Agent Health Status Report
...
Update Changes
2022-06-08 13:07:13 -04:00
Phillip Bracher
e63320ef9a
Update Endpoint Linux AV Signature and Platform Versions
2022-06-08 12:56:42 -04:00
Phillip Bracher
da5a0a74b9
Update Endpoint Linux AV Signature and Platform Versions
...
I add the changes recommended
2022-06-08 12:55:35 -04:00
Shain
6577e2c4d2
Merge pull request #5198 from thmcelro/tom-new-queries
...
POLONIUM Queries
2022-06-02 08:03:58 -07:00
Thomas McElroy
7ff901179b
Adding outputs
2022-06-02 15:40:00 +01:00
Thomas McElroy
369e23bf0b
Fixing indentation error
2022-06-02 15:14:44 +01:00
Thomas McElroy
5dc8a6741c
New Queries
...
Comitting new queries to branch
2022-05-31 15:31:27 +01:00
Anki Narravula
321f95a111
Revert "Package Creation for Syslog-- DO NOT MERGE AS 1P" ( #5140 )
...
* Revert "Package Creation for Syslog-- DO NOT MERGE AS 1P"
* Updated the workbook
Co-authored-by: v-spadarthi <101796244+v-spadarthi@users.noreply.github.com>
2022-05-31 12:36:05 +05:30
Sittikorn S
ed3c49de99
Update and rename detect-office-apps-spawn-msdt-CVE-2022-30190,yaml to detect-office-apps-spawn-msdt-CVE-2022-30190.yaml
2022-05-31 12:34:12 +07:00
Sittikorn S
6565a6f230
New Hunting - Spawning MSDT process
2022-05-31 12:29:33 +07:00
Anki Narravula
6744a2eed2
Merge pull request #5059 from Azure/v-spadarthi-PackagingCreation-Syslog
...
Package Creation for Syslog-- DO NOT MERGE AS 1P
2022-05-26 01:01:40 +05:30
Shain
0033d0ab0d
Fixing Account entity map for AADUserId
2022-05-23 10:36:07 -07:00
v-spadarthi
7960248dc9
Package Creation done for Syslog
2022-05-23 16:44:18 +05:30
Shain
69b076e40e
typo fix on UserPrincipalName
2022-05-21 08:03:39 -07:00
Shain
8ab766f151
Fixing typos
2022-05-20 17:34:53 -07:00
Shain
2229646bff
Adding additional entity outputs as needed by other tooling and to support future automap of entities similar to Detections
2022-05-20 15:23:48 -07:00
Sittikorn S
957f04ac88
Create VMWare-LPE-2022-22960.yaml
2022-05-19 19:16:30 +07:00
Sittikorn S
6a6285f3e0
Update redmenshen-bpfdoor-backdoor.yaml
2022-05-19 19:14:55 +07:00
Sittikorn S
c9e7755ad0
New Campaign - BPFDoor
2022-05-19 16:28:51 +07:00
Phillip Bracher
3442ac3da7
Create Endpoint Linux AV Signature and Platform Versions
...
This query will identify the Microsoft Defender Antivirus Engine version and Microsoft Defender Antivirus Security Intelligence version for Linux Servers.
2022-05-12 16:45:46 -04:00
bracherp
34db95c11b
Update Endpoint Linux Agent Health Status Report
2022-05-12 13:05:06 -04:00
bracherp
f18bd1bbdd
Update Endpoint Linux Agent Health Status Report
2022-05-12 13:01:27 -04:00
Sittikorn S
57faeee943
Update KrbRelayUpServiceCreation
...
Edit MaliciousService
2022-05-11 20:21:18 +07:00
Sittikorn S
f1ee09c879
New Detection - KrbRelayUp Tool
...
Required items, please complete
Change(s):
Create New rule to detect service creation from KrbRelayUp tool
Reason for Change(s):
New rule to detect service creation from KrbRelayUp tool
Version Updated: 1.0
Required only for Detections/Analytic Rule templates
Testing Completed:
Tested on event with sigma rule
Checked that the validations are passing and have addressed any issues that are present:
See guidance below
References: https://github.com/Dec0ne/KrbRelayUp
2022-05-11 19:03:04 +07:00
aprakash13
bc3a62616f
Merge pull request #4783 from iotmaker1/patch-1
...
Update OperationNameValue comparison operator
2022-05-11 04:56:19 -07:00
Shain
a2e89da3c5
Fixing missing day due to midtime usage
2022-05-09 16:02:13 -07:00
Ashwin Patil
e90585c7e6
changes and fixes
2022-05-09 13:12:50 -07:00
Ashwin Patil
bd790567bd
fixes
2022-05-09 09:00:49 -07:00
Ashwin Patil
c1be3d6096
adding new query
2022-05-09 08:52:24 -07:00
aprakash13
fd750efdda
Merge pull request #4712 from Azure/4R9UN--Private-Ip-Address-exclusion
...
Update GitLab_MaliciousIP.yaml
2022-05-04 14:53:12 -07:00
iotmaker1
f0540ea901
Update OperationNameValue comparison operator
...
The OperationNameValue is sometimes mixed lower and uppercase. The lower case value drastically limits the number of results and overlooks the mixed case values of "Microsoft.Storage/storageAccounts/listKeys/action". Using the =~ operator accommodates the mixed case values.
2022-05-04 09:39:20 -04:00
bracherp
67dabda02c
Create Endpoint Linux Agent Health Status Report
2022-05-03 17:32:18 -04:00
Jose Sebastián Canós
ff70b34d80
Update CrossServiceADXQueries.yaml
2022-04-27 16:30:34 +02:00
Jose Sebastián Canós
fcbe6dd4db
Create CrossServiceADXQueries.yaml
2022-04-27 15:37:07 +02:00
Arjun Trivedi
f978258005
Update SuspectedProxyTokenExploitation.yaml
...
Exclude local addresses, using the ipv4_is_private operator
2022-04-26 14:38:49 +05:30
Arjun Trivedi
bca4d5f234
Update ExchangeServerProxyLogonURI.yaml
...
Exclude local addresses, using the ipv4_is_private operator
2022-04-26 14:37:54 +05:30
Arjun Trivedi
e8b79a46b7
Update SuspectedMailBoxExportHostonOWA.yaml
...
Exclude local addresses, using the ipv4_is_private operator
2022-04-26 14:36:50 +05:30
Arjun Trivedi
d1c6d1506b
Update WebShellActivity.yaml
...
Exclude local addresses, using the ipv4_is_private operator
2022-04-26 14:22:02 +05:30
Arjun Trivedi
c91a3881e5
Update ClientIPwithManyUserAgents.yaml
...
Exclude local addresses, using the ipv4_is_private operator
2022-04-26 12:46:40 +05:30
Arjun Trivedi
6374cd17e4
Update RareUserAgentStrings.yaml
...
//Exclude local addresses, using the ipv4_is_private operator
2022-04-26 12:43:16 +05:30