Azure-Sentinel

aprakash13 da3b384cb1 Update Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml Co-authored-by: sergevanhaag <84989429+sergevanhaag@users.noreply.github.com>	2021-12-29 15:25:01 -08:00
..
AADPrivilegedAccountsFailedMFA.yaml	adding tags for queries	2021-10-29 17:36:29 -07:00
AnomolousSignInsBasedonTime.yaml	adding tags for queries	2021-10-29 17:36:29 -07:00
ApplicationGrantedEWSPermissions.yaml	PR Comments	2021-08-10 10:51:45 -07:00
AzureResourceAssignedPublicIP.yaml	updating logic to use new value	2021-09-17 18:03:35 -07:00
AzureResourceCreationWithNetworkActivity.yaml	updating fields	2021-09-17 18:08:34 -07:00
AzureRunCommandMDELinked.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
CobaltDNSBeacon.yaml	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
Dev-0056CommandLineActivityNovember2021.yaml	Blog Support Queries	2021-11-17 19:34:51 -08:00
Dev-0322CommandLineActivityNovember2021-MSIM.yaml	Updating the query	2021-11-08 15:56:58 -08:00
Dev-0322CommandLineActivityNovember2021.yaml	Updating the query	2021-11-08 15:56:58 -08:00
Dev-0322FileDropActivityNovember2021-MSIM.yaml	Updated yaml to fix error	2021-11-08 14:25:11 -08:00
Dev-0322FileDropActivityNovember2021.yaml	Added new hunting queries:	2021-11-08 14:19:50 -08:00
DormantServicePrincipalUpdateCredsandLogsIn.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
DormantUserUpdateMFAandLogsIn-UEBA.yaml	Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.	2021-11-09 18:41:23 -08:00
DormantUserUpdateMFAandLogsIn.yaml	Added queries and detections for cross tenant activity:	2021-10-24 23:24:41 -07:00
ExchangeServersAssociatedSecurityAlerts.yaml	GUID Updates	2021-03-25 18:31:46 +00:00
FailedSigninsWithAuditDetails.yaml	fixes	2021-08-06 17:30:23 -07:00
FireEyeRedTeamComms.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
FirewallRuleChanges_using_netsh.yaml	DNS to Syslog changes	2021-08-04 15:49:57 -07:00
LogonwithExpiredAccount.yaml	Hunting query timeframe updates	2021-04-12 14:15:43 -07:00
NICKELCommandLineActivity-Nov2021.yaml	typos and addng techniques	2021-12-03 14:35:34 -08:00
NetworkConnectionldap_log4j.yaml	Update Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml	2021-12-29 15:25:01 -08:00
NetworkConnectiontoOMIPorts.yaml	Update NetworkConnectiontoOMIPorts.yaml	2021-09-30 00:27:55 -07:00
NickelRegIOCPatterns.yaml	removed tags	2021-12-06 08:56:50 -08:00
PermutationsOnLogonNames.yaml	replacing deprecated parsejson with parse_json	2021-08-17 12:26:48 -07:00
PersistViaIFEORegistryKey.yaml	add endswith condition	2021-07-01 18:10:53 -04:00
PotentialMicrosoftSecurityServicesTampering.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
PrivilegedAccountPasswordChanges.yaml	fixing broken links	2021-10-29 17:27:02 -07:00
PrivilegedAccountsLockedOut.yaml	fixing broken links	2021-10-29 17:27:02 -07:00
RareDNSLookupWithDataTransfer.yaml	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
RareDomainsInCloudLogs.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
ReconActivitywithInteractiveLogonCorrelation.yaml	Adding with Changes	2021-08-26 12:53:10 -07:00
SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	Submitting with mapping entry changes	2021-07-30 12:33:27 -07:00
STRONTIUM_IOC_RetroHunt.yaml	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
SolarWindsInventory.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml	Adding with title change	2021-09-24 14:17:55 -07:00
StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	Updating PR with EntityMapping	2021-07-30 12:14:54 -07:00
StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml	Updating PR with EntityMapping	2021-07-30 12:14:54 -07:00
TrackingPasswordChanges.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00
TrackingPrivAccounts.yaml	replacing deprecated parsejson with parse_json	2021-08-17 12:26:48 -07:00
UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml	Submittting with Changes	2021-08-26 14:33:18 -07:00
UnicodeObfuscationInCommandLine.yaml	updating Tactics to match with standrd values	2021-09-01 12:51:38 -07:00
UserGrantedAccess_CreatesResources.yaml	more fixes	2021-08-06 17:15:28 -07:00
UseragentExploitPentest.yaml	Hunting Query TimeFrame Updates	2021-04-15 17:52:25 -07:00

AADPrivilegedAccountsFailedMFA.yaml

adding tags for queries

2021-10-29 17:36:29 -07:00

AnomolousSignInsBasedonTime.yaml

adding tags for queries

2021-10-29 17:36:29 -07:00

ApplicationGrantedEWSPermissions.yaml

PR Comments

2021-08-10 10:51:45 -07:00

AzureResourceAssignedPublicIP.yaml

updating logic to use new value

2021-09-17 18:03:35 -07:00

AzureResourceCreationWithNetworkActivity.yaml

updating fields

2021-09-17 18:08:34 -07:00

AzureRunCommandMDELinked.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

CobaltDNSBeacon.yaml

Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

2021-08-12 10:58:18 -07:00

Dev-0056CommandLineActivityNovember2021.yaml

Blog Support Queries

2021-11-17 19:34:51 -08:00

Dev-0322CommandLineActivityNovember2021-MSIM.yaml

Updating the query

2021-11-08 15:56:58 -08:00

Dev-0322CommandLineActivityNovember2021.yaml

Updating the query

2021-11-08 15:56:58 -08:00

Dev-0322FileDropActivityNovember2021-MSIM.yaml

Updated yaml to fix error

2021-11-08 14:25:11 -08:00

Dev-0322FileDropActivityNovember2021.yaml

Added new hunting queries:

2021-11-08 14:19:50 -08:00

DormantServicePrincipalUpdateCredsandLogsIn.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

DormantUserUpdateMFAandLogsIn-UEBA.yaml

Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.

2021-11-09 18:41:23 -08:00

DormantUserUpdateMFAandLogsIn.yaml

Added queries and detections for cross tenant activity:

2021-10-24 23:24:41 -07:00

ExchangeServersAssociatedSecurityAlerts.yaml

GUID Updates

2021-03-25 18:31:46 +00:00

FailedSigninsWithAuditDetails.yaml

fixes

2021-08-06 17:30:23 -07:00

FireEyeRedTeamComms.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

FirewallRuleChanges_using_netsh.yaml

DNS to Syslog changes

2021-08-04 15:49:57 -07:00

LogonwithExpiredAccount.yaml

Hunting query timeframe updates

2021-04-12 14:15:43 -07:00

NICKELCommandLineActivity-Nov2021.yaml

typos and addng techniques

2021-12-03 14:35:34 -08:00

NetworkConnectionldap_log4j.yaml

Update Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml

2021-12-29 15:25:01 -08:00

NetworkConnectiontoOMIPorts.yaml

Update NetworkConnectiontoOMIPorts.yaml

2021-09-30 00:27:55 -07:00

NickelRegIOCPatterns.yaml

removed tags

2021-12-06 08:56:50 -08:00

PermutationsOnLogonNames.yaml

replacing deprecated parsejson with parse_json

2021-08-17 12:26:48 -07:00

PersistViaIFEORegistryKey.yaml

add endswith condition

2021-07-01 18:10:53 -04:00

PotentialMicrosoftSecurityServicesTampering.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

PrivilegedAccountPasswordChanges.yaml

fixing broken links

2021-10-29 17:27:02 -07:00

PrivilegedAccountsLockedOut.yaml

fixing broken links

2021-10-29 17:27:02 -07:00

RareDNSLookupWithDataTransfer.yaml

Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

2021-08-12 10:58:18 -07:00

RareDomainsInCloudLogs.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

ReconActivitywithInteractiveLogonCorrelation.yaml

Adding with Changes

2021-08-26 12:53:10 -07:00

SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml

Submitting with mapping entry changes

2021-07-30 12:33:27 -07:00

STRONTIUM_IOC_RetroHunt.yaml

Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.

2021-08-12 10:58:18 -07:00

SolarWindsInventory.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml

Adding with title change

2021-09-24 14:17:55 -07:00

StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml

Updating PR with EntityMapping

2021-07-30 12:14:54 -07:00

StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml

Updating PR with EntityMapping

2021-07-30 12:14:54 -07:00

TrackingPasswordChanges.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00

TrackingPrivAccounts.yaml

replacing deprecated parsejson with parse_json

2021-08-17 12:26:48 -07:00

UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml

Submittting with Changes

2021-08-26 14:33:18 -07:00

UnicodeObfuscationInCommandLine.yaml

updating Tactics to match with standrd values

2021-09-01 12:51:38 -07:00

UserGrantedAccess_CreatesResources.yaml

more fixes

2021-08-06 17:15:28 -07:00

UseragentExploitPentest.yaml

Hunting Query TimeFrame Updates

2021-04-15 17:52:25 -07:00