321f95a111
Revert "Package Creation for Syslog-- DO NOT MERGE AS 1P" ( #5140 )
...
* Revert "Package Creation for Syslog-- DO NOT MERGE AS 1P"
* Updated the workbook
Co-authored-by: v-spadarthi <101796244+v-spadarthi@users.noreply.github.com>
2022-05-31 12:36:05 +05:30
7960248dc9
Package Creation done for Syslog
2022-05-23 16:44:18 +05:30
eae3c184f0
Adding with changes
2022-03-31 16:38:02 -07:00
3917c01be5
Adding for review
2022-03-31 13:41:22 -07:00
ee97399b42
Revert "Revert "Merge branch 'master' of https://github.com/Azure/Azure-Sentinel ""
...
This reverts commit ff69f85224
2022-01-03 16:21:46 +02:00
ff69f85224
Revert "Merge branch 'master' of https://github.com/Azure/Azure-Sentinel "
...
This reverts commit c929df845a53e6c92e3e
2022-01-03 16:04:13 +02:00
306066418e
Adding query for review
2021-12-17 08:55:38 -08:00
0236ba85e7
Adding with slight change in description
2021-12-15 17:41:05 -08:00
7606f23de4
Adding Linux attack toolkit query for review
2021-12-15 16:54:08 -08:00
909b89a2b8
updating or adding version
2021-12-14 20:16:31 -08:00
591589743b
Adding in | where SyslogMessage has "AUOMS_EXECVE" to improve perf so we only parse what is needed
2021-12-14 20:13:21 -08:00
69e13c75f5
Update Firewall_Disable_Activity.yaml
...
fixing AUOMS_EXECVE check
2021-12-14 18:36:47 -08:00
d7cf34077f
Adding with changes
2021-12-14 18:27:06 -08:00
4f9e673235
Adding firewall tampering query for review
2021-12-14 17:27:55 -08:00
305e9350ad
Adding with changes
2021-12-13 18:40:12 -08:00
235acb2b16
Adding process termination query for review
2021-12-13 17:32:00 -08:00
ceb9c897c7
Resubmitting with changes
2021-12-12 17:51:49 -08:00
f96311c3de
Adding Shellscript detected query for review
2021-12-12 16:45:38 -08:00
828263ea1f
Submitting obfuscated scripts query for review
2021-12-12 00:56:59 -08:00
35eb1d344c
Update Apache_log4j_Vulnerability.yaml
2021-12-10 20:54:59 -08:00
8a54ce8e0c
Update and rename ApacheBugExploitation.yaml to Apache_log4j_Vulnerability.yaml
2021-12-10 20:52:59 -08:00
7a3d7e2cc8
Adding query for review
2021-12-10 19:37:52 -08:00
2cc3982f03
Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.
2021-11-09 18:41:23 -08:00
bfaa274985
improved SCX Execute RunAsProvder to cover older versions of AUOMS
2021-09-24 03:04:35 -04:00
93f89274f4
added ExecuteType to identify what was potentially run with ExecuteShellCommand or ExecuteScript RunAsProvider
2021-09-23 18:02:04 -04:00
8426000fd4
Improved initial query to coecr also ExecuteScript RunAs providers
2021-09-23 16:47:18 -04:00
658ded40d3
added rule to detect the use of SCX ExecuteScript class from RunAsProvider
2021-09-18 03:43:31 -04:00
6289347e38
added filter to improve performance and added Account entity type
2021-09-17 15:24:15 -04:00
1ced1b3376
updated description of hunting query
2021-09-17 03:58:59 -04:00
843255b359
New hunting query to explore the use of SCX RunAsProvider ExecuteShellCommand to execute code any UNIX/Linux command using the /bin/sh shell
2021-09-17 03:55:27 -04:00
54b4792b1c
Updating queries with common timestamp param to support future features.
2021-09-10 10:10:13 -07:00
16fe6108dd
Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.
...
TechniqueId TechniqueName New
T1483 Domain Generation Algorithms T1568
T1064 Scripting T1059
T1043 Commonly Used Port T1071
T1065 Uncommonly Used Port T1571
T1100 Web Shell T1505
T1089 Disabling Security Tools T1562
T1035 Service Execution ( Removed totally T1035 without replacement)
T1109 Component Firmware T1542
T10178 T1078
2021-08-12 10:58:18 -07:00
9c31372366
fixes
2021-08-06 14:18:45 -07:00
e030abc8e7
Fixes
2021-08-06 14:12:37 -07:00
8c900dafa2
Sylog to Zoom
2021-08-06 13:39:23 -07:00
b1faf7dc83
DNS to Syslog changes
2021-08-04 15:49:57 -07:00
a10c26d96c
Hunting Query TimeFrame Updates
2021-04-15 17:52:25 -07:00
c1451cfc9a
Update RareProcess_ForLxHost.yaml
2020-10-19 11:32:11 -07:00
4a8f525374
Syslog hunting query updates
2020-08-03 10:42:22 -07:00
df44093119
These queries do not work as expansion. Converted to hunting
2020-07-26 20:17:45 +03:00
4e84c68ad6
Reverting...
2020-07-26 14:21:15 +03:00
d366e195bb
Queries cannot serve as expansion. Converted to Hunting
2020-07-26 14:01:26 +03:00
9570b779b3
Small bug fix for when auditd is installed
2020-04-17 14:05:36 +00:00
2bdc91501f
Moved parsers to Parsers directory, and reworked crypto currency miners hunting query into yaml and placed in Hunting Queries directory
2020-04-17 09:55:41 +00:00
ba90e4555f
Updating to include URLCustomEntity where available.
2019-12-23 10:38:26 -08:00
7b8b8eee30
Updating entity and changing to YAML
2019-09-04 07:34:41 -07:00
57918b1941
Update squid_malformed_requests.txt
2019-08-22 13:24:33 -07:00
884c228c2d
Update SchedTaskEditViaCrontab.txt
2019-08-22 13:24:16 -07:00
c03a70842c
Update squid_volume_anomalies.txt
2019-08-21 17:03:34 -07:00
d2c2a5ea83
Update squid_malformed_requests.txt
2019-08-21 17:03:07 -07:00
Anki Narravula
v-spadarthi
gitj121
Ofer Shezaf
Shain Wray (MSTIC)
Shain
Ajeet Prakash (MSTIC)
Roberto Rodriguez
Pete Bryan
Pete Bryan
juliango2100
Yaron Fruchtmann
Kevin Sheldrake