Azure-Sentinel

Ashwin Patil e90585c7e6 changes and fixes	2022-05-09 13:12:50 -07:00
..
AADPrivilegedAccountsFailedMFA.yaml	adding tags for queries	2021-10-29 17:36:29 -07:00
AnomolousSignInsBasedonTime.yaml	adding tags for queries	2021-10-29 17:36:29 -07:00
ApplicationGrantedEWSPermissions.yaml	Fixing rename of count operation	2022-03-29 18:07:18 -07:00
AzureResourceAssignedPublicIP.yaml	updating logic to use new value	2021-09-17 18:03:35 -07:00
AzureResourceCreationWithNetworkActivity.yaml	updating fields	2021-09-17 18:08:34 -07:00
AzureRunCommandMDELinked.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
CobaltDNSBeacon.yaml	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
Dev-0056CommandLineActivityNovember2021.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml	ASIM renames	2022-03-02 15:05:56 -08:00
Dev-0322CommandLineActivityNovember2021.yaml	Updating the query	2021-11-08 15:56:58 -08:00
Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml	ASIM renames	2022-03-02 15:05:56 -08:00
Dev-0322FileDropActivityNovember2021.yaml	Added new hunting queries:	2021-11-08 14:19:50 -08:00
DormantServicePrincipalUpdateCredsandLogsIn.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
DormantUserUpdateMFAandLogsIn-UEBA.yaml	Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.	2021-11-09 18:41:23 -08:00
DormantUserUpdateMFAandLogsIn.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
ExchangeServersAssociatedSecurityAlerts.yaml	GUID Updates	2021-03-25 18:31:46 +00:00
FailedSigninsWithAuditDetails.yaml	fixes	2021-08-06 17:30:23 -07:00
FireEyeRedTeamComms.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
FirewallRuleChanges_using_netsh.yaml	DNS to Syslog changes	2021-08-04 15:49:57 -07:00
LogonwithExpiredAccount.yaml	Hunting query timeframe updates	2021-04-12 14:15:43 -07:00
NICKELCommandLineActivity-Nov2021.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
NetworkConnectionldap_log4j.yaml	regex replace with ipv4_is_private	2022-03-14 11:10:08 -07:00
NetworkConnectiontoOMIPorts.yaml	Update NetworkConnectiontoOMIPorts.yaml	2021-09-30 00:27:55 -07:00
NickelRegIOCPatterns.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
PermutationsOnLogonNames.yaml	replacing deprecated parsejson with parse_json	2021-08-17 12:26:48 -07:00
PersistViaIFEORegistryKey.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
PossibleCommandInjectionagainstAzureIR.yaml	changes and fixes	2022-05-09 13:12:50 -07:00
PotentialMicrosoftSecurityServicesTampering.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
PrivilegedAccountPasswordChanges.yaml	fixing broken links	2021-10-29 17:27:02 -07:00
PrivilegedAccountsLockedOut.yaml	fixing broken links	2021-10-29 17:27:02 -07:00
RareDNSLookupWithDataTransfer.yaml	regex replace with ipv4_is_private	2022-03-14 11:10:08 -07:00
RareDomainsInCloudLogs.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
ReconActivitywithInteractiveLogonCorrelation.yaml	adding connectorID	2022-03-10 17:05:47 +02:00
SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	Submitting with mapping entry changes	2021-07-30 12:33:27 -07:00
STRONTIUM_IOC_RetroHunt.yaml	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
SolarWindsInventory.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml	Changing _SubscriptionId to SubscriptionId as schema was updated awhile back. These still run, but we need to be using the update field name.	2022-03-29 16:24:50 -07:00
StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	Updating PR with EntityMapping	2021-07-30 12:14:54 -07:00
StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml	Updating PR with EntityMapping	2021-07-30 12:14:54 -07:00
TrackingPasswordChanges.yaml	Added connectorId: WindowsForwardedEvents	2022-03-16 10:00:01 +02:00
TrackingPrivAccounts.yaml	replacing deprecated parsejson with parse_json	2021-08-17 12:26:48 -07:00
UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml	Remove condition in UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml	2022-01-04 10:33:02 +01:00
UnicodeObfuscationInCommandLine.yaml	Revert "Revert "Merge branch 'master' of https://github.com/Azure/Azure-Sentinel ""	2022-01-03 16:21:46 +02:00
UserGrantedAccess_CreatesResources.yaml	more fixes	2021-08-06 17:15:28 -07:00
UseragentExploitPentest.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00

AADPrivilegedAccountsFailedMFA.yaml

adding tags for queries

2021-10-29 17:36:29 -07:00

AnomolousSignInsBasedonTime.yaml

adding tags for queries

2021-10-29 17:36:29 -07:00

ApplicationGrantedEWSPermissions.yaml

Fixing rename of count operation

2022-03-29 18:07:18 -07:00

AzureResourceAssignedPublicIP.yaml

updating logic to use new value

2021-09-17 18:03:35 -07:00

AzureResourceCreationWithNetworkActivity.yaml

updating fields

2021-09-17 18:08:34 -07:00

AzureRunCommandMDELinked.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

CobaltDNSBeacon.yaml

Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

2021-08-12 10:58:18 -07:00

Dev-0056CommandLineActivityNovember2021.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml

ASIM renames

2022-03-02 15:05:56 -08:00

Dev-0322CommandLineActivityNovember2021.yaml

Updating the query

2021-11-08 15:56:58 -08:00

Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml

ASIM renames

2022-03-02 15:05:56 -08:00

Dev-0322FileDropActivityNovember2021.yaml

Added new hunting queries:

2021-11-08 14:19:50 -08:00

DormantServicePrincipalUpdateCredsandLogsIn.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

DormantUserUpdateMFAandLogsIn-UEBA.yaml

Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.

2021-11-09 18:41:23 -08:00

DormantUserUpdateMFAandLogsIn.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

ExchangeServersAssociatedSecurityAlerts.yaml

GUID Updates

2021-03-25 18:31:46 +00:00

FailedSigninsWithAuditDetails.yaml

fixes

2021-08-06 17:30:23 -07:00

FireEyeRedTeamComms.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

FirewallRuleChanges_using_netsh.yaml

DNS to Syslog changes

2021-08-04 15:49:57 -07:00

LogonwithExpiredAccount.yaml

Hunting query timeframe updates

2021-04-12 14:15:43 -07:00

NICKELCommandLineActivity-Nov2021.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

NetworkConnectionldap_log4j.yaml

regex replace with ipv4_is_private

2022-03-14 11:10:08 -07:00

NetworkConnectiontoOMIPorts.yaml

Update NetworkConnectiontoOMIPorts.yaml

2021-09-30 00:27:55 -07:00

NickelRegIOCPatterns.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

PermutationsOnLogonNames.yaml

replacing deprecated parsejson with parse_json

2021-08-17 12:26:48 -07:00

PersistViaIFEORegistryKey.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

PossibleCommandInjectionagainstAzureIR.yaml

changes and fixes

2022-05-09 13:12:50 -07:00

PotentialMicrosoftSecurityServicesTampering.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

PrivilegedAccountPasswordChanges.yaml

fixing broken links

2021-10-29 17:27:02 -07:00

PrivilegedAccountsLockedOut.yaml

fixing broken links

2021-10-29 17:27:02 -07:00

RareDNSLookupWithDataTransfer.yaml

regex replace with ipv4_is_private

2022-03-14 11:10:08 -07:00

RareDomainsInCloudLogs.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

ReconActivitywithInteractiveLogonCorrelation.yaml

adding connectorID

2022-03-10 17:05:47 +02:00

SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml

Submitting with mapping entry changes

2021-07-30 12:33:27 -07:00

STRONTIUM_IOC_RetroHunt.yaml

Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

2021-08-12 10:58:18 -07:00

SolarWindsInventory.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml

Changing _SubscriptionId to SubscriptionId as schema was updated awhile back. These still run, but we need to be using the update field name.

2022-03-29 16:24:50 -07:00

StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml

Updating PR with EntityMapping

2021-07-30 12:14:54 -07:00

StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml

Updating PR with EntityMapping

2021-07-30 12:14:54 -07:00

TrackingPasswordChanges.yaml

Added connectorId: WindowsForwardedEvents

2022-03-16 10:00:01 +02:00

TrackingPrivAccounts.yaml

replacing deprecated parsejson with parse_json

2021-08-17 12:26:48 -07:00

UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml

Remove condition in UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml

2022-01-04 10:33:02 +01:00

UnicodeObfuscationInCommandLine.yaml

Revert "Revert "Merge branch 'master' of https://github.com/Azure/Azure-Sentinel ""

2022-01-03 16:21:46 +02:00

UserGrantedAccess_CreatesResources.yaml

more fixes

2021-08-06 17:15:28 -07:00

UseragentExploitPentest.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00