[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceImageLoadEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n)\n)\n",
- "queryFrequency": "PT12H",
- "queryPeriod": "PT12H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "connectorId": "CiscoASA",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "MicrosoftThreatProtection",
- "dataTypes": [
- "DeviceFileEvents",
- "DeviceEvents",
- "DeviceImageLoadEvents"
- ]
- },
- {
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- }
- ],
- "tactics": [
- "Persistence"
- ],
- "techniques": [
- "T1053"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
- },
- {
- "fieldMappings": [
- {
- "identifier": "ProcessId",
- "columnName": "ProcessCustomEntity"
- }
- ],
- "entityType": "Process"
- },
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
- }
- ],
- "entityType": "Host"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Algorithm",
- "columnName": "AlgorithmCustomEntity"
- },
- {
- "identifier": "Value",
- "columnName": "FileHashCustomEntity"
- }
- ],
- "entityType": "FileHash"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]",
- "properties": {
- "description": "Legacy IOC based Threat Protection Analytics Rule 31",
- "parentId": "[variables('analyticRuleId31')]",
- "contentId": "[variables('_analyticRulecontentId31')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion31')]",
- "source": {
- "kind": "Solution",
- "name": "Legacy IOC based Threat Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId31')]",
- "contentKind": "AnalyticsRule",
- "displayName": "[Deprecated] - Tarrask malware IOC - April 2022",
- "contentProductId": "[variables('_analyticRulecontentProductId31')]",
- "id": "[variables('_analyticRulecontentProductId31')]",
- "version": "[variables('analyticRuleVersion31')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName32')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "EmeraldSleetIOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion32')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId32')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy",
- "displayName": "[Deprecated] - Emerald Sleet domains included in DCU takedown",
- "enabled": false,
- "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule\n| extend IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n| extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n| extend IPCustomEntity = SourceIP\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n| order by TimeGenerated\n),\n(AZFWApplicationRule\n| where Fqdn has_any (DomainNames)\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
- "queryFrequency": "P1D",
- "queryPeriod": "P1D",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "connectorId": "DNS",
- "dataTypes": [
- "DnsEvents"
- ]
- },
- {
- "connectorId": "AzureMonitor(VMInsights)",
- "dataTypes": [
- "VMConnection"
- ]
- },
- {
- "connectorId": "CiscoASA",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "AzureFirewall",
- "dataTypes": [
- "AzureDiagnostics",
- "AZFWApplicationRule",
- "AZFWDnsQuery"
- ]
- },
- {
- "connectorId": "Zscaler",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "InfobloxNIOS",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "GCPDNSDataConnector",
- "dataTypes": [
- "GCP_DNS_CL"
- ]
- },
- {
- "connectorId": "NXLogDnsLogs",
- "dataTypes": [
- "NXLog_DNS_Server_CL"
- ]
- },
- {
- "connectorId": "CiscoUmbrellaDataConnector",
- "dataTypes": [
- "Cisco_Umbrella_dns_CL"
- ]
- },
- {
- "connectorId": "Corelight",
- "dataTypes": [
- "Corelight_CL"
- ]
- }
- ],
- "tactics": [
- "CommandAndControl",
- "CredentialAccess"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
- },
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
- }
- ],
- "entityType": "Host"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]",
- "properties": {
- "description": "Legacy IOC based Threat Protection Analytics Rule 32",
- "parentId": "[variables('analyticRuleId32')]",
- "contentId": "[variables('_analyticRulecontentId32')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion32')]",
- "source": {
- "kind": "Solution",
- "name": "Legacy IOC based Threat Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId32')]",
- "contentKind": "AnalyticsRule",
- "displayName": "[Deprecated] - Emerald Sleet domains included in DCU takedown",
- "contentProductId": "[variables('_analyticRulecontentProductId32')]",
- "id": "[variables('_analyticRulecontentProductId32')]",
- "version": "[variables('analyticRuleVersion32')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName33')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "WSLMalwareCorrelation_AnalyticalRules Analytics Rule with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion33')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId33')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy",
- "displayName": "[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
- "enabled": false,
- "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where SourceIp in (IPList) or Fqdn in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where SourceIp in (IPList) or QueryName in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where CommandLine has_any (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n(WindowsEvent\n| where EventID == '4688' and has_any_ipv4(EventData, toscalar(IPList)) \n| extend NewProcessName = tostring(EventData.NewProcessName)\n| where NewProcessName in (IPList) \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n",
- "queryFrequency": "PT6H",
- "queryPeriod": "PT6H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "connectorId": "F5",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "CiscoASA",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "Fortinet",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "CheckPoint",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "CEF",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "MicrosoftThreatProtection",
- "dataTypes": [
- "DeviceNetworkEvents",
- "DeviceFileEvents",
- "DeviceEvents"
- ]
- },
- {
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- },
- {
- "connectorId": "AzureFirewall",
- "dataTypes": [
- "AzureDiagnostics",
- "AZFWApplicationRule",
- "AZFWDnsQuery"
- ]
- },
- {
- "connectorId": "WindowsFirewall",
- "dataTypes": [
- "WindowsFirewall"
- ]
- },
- {
- "connectorId": "WindowsSecurityEvents",
- "dataTypes": [
- "SecurityEvents"
- ]
- },
- {
- "connectorId": "WindowsForwardedEvents",
- "dataTypes": [
- "WindowsEvent"
- ]
- }
- ],
- "tactics": [
- "Impact"
- ],
- "techniques": [
- "T1496"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
- },
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
- }
- ],
- "entityType": "Host"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
- },
- {
- "fieldMappings": [
- {
- "identifier": "ProcessId",
- "columnName": "ProcessCustomEntity"
- }
- ],
- "entityType": "Process"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Algorithm",
- "columnName": "AlgorithmCustomEntity"
- },
- {
- "identifier": "Value",
- "columnName": "FileHashCustomEntity"
- }
- ],
- "entityType": "FileHash"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]",
- "properties": {
- "description": "Legacy IOC based Threat Protection Analytics Rule 33",
- "parentId": "[variables('analyticRuleId33')]",
- "contentId": "[variables('_analyticRulecontentId33')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion33')]",
- "source": {
- "kind": "Solution",
- "name": "Legacy IOC based Threat Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId33')]",
- "contentKind": "AnalyticsRule",
- "displayName": "[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
- "contentProductId": "[variables('_analyticRulecontentProductId33')]",
- "id": "[variables('_analyticRulecontentProductId33')]",
- "version": "[variables('analyticRuleVersion33')]"
- }
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "e2629949-2043-4421-8064-bca23c8491dd",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e2629949-2043-4421-8064-bca23c8491dd')))]"
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName34')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "DiamondSleetJan272021IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion34')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId34')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy",
- "displayName": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes",
- "enabled": false,
- "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(_Im_Dns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where EventID == 4688\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n( WindowsEvent\n| where EventID == 4688\n| where EventData has_any (\"powershell.exe\", \"rundll32.exe\") and EventData has_any (tokens, \"Debug\\\\Browse\",\"is64bitoperatingsystem\" ) \n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| extend CommandLine = tostring(EventData.CommandLine) \n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)\n| extend DNSName = Fqdn \n| extend IPAddress = SourceIp\n),\n(AZFWDnsQuery\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPAddress = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
- "queryFrequency": "P1D",
- "queryPeriod": "P1D",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "connectorId": "DNS",
- "dataTypes": [
- "DnsEvents"
- ]
- },
- {
- "connectorId": "AzureMonitor(VMInsights)",
- "dataTypes": [
- "VMConnection"
- ]
- },
- {
- "connectorId": "CiscoASA",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- },
- {
- "connectorId": "MicrosoftThreatProtection",
- "dataTypes": [
- "DeviceProcessEvents"
- ]
- },
- {
- "connectorId": "MicrosoftThreatProtection",
- "dataTypes": [
- "DeviceFileEvents"
- ]
- },
- {
- "connectorId": "MicrosoftThreatProtection",
- "dataTypes": [
- "DeviceNetworkEvents"
- ]
- },
- {
- "connectorId": "AzureFirewall",
- "dataTypes": [
- "AzureDiagnostics",
- "AZFWApplicationRule",
- "AZFWDnsQuery"
- ]
- },
- {
- "connectorId": "Zscaler",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "InfobloxNIOS",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "GCPDNSDataConnector",
- "dataTypes": [
- "GCP_DNS_CL"
- ]
- },
- {
- "connectorId": "NXLogDnsLogs",
- "dataTypes": [
- "NXLog_DNS_Server_CL"
- ]
- },
- {
- "connectorId": "CiscoUmbrellaDataConnector",
- "dataTypes": [
- "Cisco_Umbrella_dns_CL"
- ]
- },
- {
- "connectorId": "Corelight",
- "dataTypes": [
- "Corelight_CL"
- ]
- },
- {
- "connectorId": "WindowsForwardedEvents",
- "dataTypes": [
- "WindowsEvent"
- ]
- }
- ],
- "tactics": [
- "CommandAndControl",
- "Execution"
- ],
- "techniques": [
- "T1071",
- "T1204"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
- },
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
- }
- ],
- "entityType": "Host"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]",
- "properties": {
- "description": "Legacy IOC based Threat Protection Analytics Rule 34",
- "parentId": "[variables('analyticRuleId34')]",
- "contentId": "[variables('_analyticRulecontentId34')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion34')]",
- "source": {
- "kind": "Solution",
- "name": "Legacy IOC based Threat Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId34')]",
- "contentKind": "AnalyticsRule",
- "displayName": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes",
- "contentProductId": "[variables('_analyticRulecontentProductId34')]",
- "id": "[variables('_analyticRulecontentProductId34')]",
- "version": "[variables('analyticRuleVersion34')]"
- }
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.0",
+ "_huntingQuerycontentId2": "6bfea14f-2122-46b3-8f8b-3947e0fb6d92",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6bfea14f-2122-46b3-8f8b-3947e0fb6d92')))]"
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName35')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "DiamondSleetOct292020IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion35')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId35')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy",
- "displayName": "[Deprecated] - Known Diamond Sleet related maldoc hash",
- "enabled": false,
- "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
- "queryFrequency": "P1D",
- "queryPeriod": "P1D",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "connectorId": "CiscoASA",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- }
- ],
- "tactics": [
- "CommandAndControl",
- "CredentialAccess"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
- },
- {
- "fieldMappings": [
- {
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
- }
- ],
- "entityType": "Host"
- },
- {
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]",
- "properties": {
- "description": "Legacy IOC based Threat Protection Analytics Rule 35",
- "parentId": "[variables('analyticRuleId35')]",
- "contentId": "[variables('_analyticRulecontentId35')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion35')]",
- "source": {
- "kind": "Solution",
- "name": "Legacy IOC based Threat Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId35')]",
- "contentKind": "AnalyticsRule",
- "displayName": "[Deprecated] - Known Diamond Sleet related maldoc hash",
- "contentProductId": "[variables('_analyticRulecontentProductId35')]",
- "id": "[variables('_analyticRulecontentProductId35')]",
- "version": "[variables('analyticRuleVersion35')]"
- }
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "78fa22f9-0c13-4847-bbe6-6a7aa1b47547",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('78fa22f9-0c13-4847-bbe6-6a7aa1b47547')))]"
},
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.0",
+ "_huntingQuerycontentId4": "9b72769e-6ab1-4736-988b-018d92dc5e62",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9b72769e-6ab1-4736-988b-018d92dc5e62')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.0",
+ "_huntingQuerycontentId5": "5bf2d4d8-ea03-4673-aaf8-716a61446022",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5bf2d4d8-ea03-4673-aaf8-716a61446022')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "1.0.1",
+ "_huntingQuerycontentId6": "767b8f6d-8029-4c92-afe1-282167d9d49a",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('767b8f6d-8029-4c92-afe1-282167d9d49a')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "1.0.1",
+ "_huntingQuerycontentId7": "bb30abbc-9af6-4a37-9536-e9207e023989",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bb30abbc-9af6-4a37-9536-e9207e023989')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "1.0.1",
+ "_huntingQuerycontentId8": "f090f8f4a-b986-42d2-b536-e0795c723e25",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f090f8f4a-b986-42d2-b536-e0795c723e25')))]"
+ },
+ "huntingQueryObject9": {
+ "huntingQueryVersion9": "1.0.1",
+ "_huntingQuerycontentId9": "278592b5-612b-48a4-bb38-4c01ff8ee2a5",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('278592b5-612b-48a4-bb38-4c01ff8ee2a5')))]"
+ },
+ "huntingQueryObject10": {
+ "huntingQueryVersion10": "1.0.2",
+ "_huntingQuerycontentId10": "b8b7574f-1cd6-4308-822a-ab07256106f8",
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b8b7574f-1cd6-4308-822a-ab07256106f8')))]"
+ },
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dev-0056CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Dev-0056CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
@@ -6865,13 +135,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -6896,27 +166,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Dev-0056 Command Line Activity November 2021",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dev-0322CommandLineActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Dev-0322CommandLineActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
@@ -6934,7 +204,7 @@
"tags": [
{
"name": "description",
- "value": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization"
+ "value": "This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized."
},
{
"name": "tactics",
@@ -6950,13 +220,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -6981,27 +251,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Dev-0322 Command Line Activity November 2021 (ASIM Version)",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dev-0322CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Dev-0322CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
@@ -7019,7 +289,7 @@
"tags": [
{
"name": "description",
- "value": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first."
+ "value": "This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized."
},
{
"name": "tactics",
@@ -7035,13 +305,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7066,27 +336,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"contentKind": "HuntingQuery",
"displayName": "Dev-0322 Command Line Activity November 2021",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dev-0322FileDropActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Dev-0322FileDropActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
@@ -7104,7 +374,7 @@
"tags": [
{
"name": "description",
- "value": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization"
+ "value": "This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized."
},
{
"name": "tactics",
@@ -7120,13 +390,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7151,27 +421,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"contentKind": "HuntingQuery",
"displayName": "Dev-0322 File Drop Activity November 2021 (ASIM Version)",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dev-0322FileDropActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Dev-0322FileDropActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
@@ -7189,7 +459,7 @@
"tags": [
{
"name": "description",
- "value": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first."
+ "value": "This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized."
},
{
"name": "tactics",
@@ -7205,13 +475,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7236,27 +506,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"contentKind": "HuntingQuery",
"displayName": "Dev-0322 File Drop Activity November 2021",
- "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
- "id": "[variables('_huntingQuerycontentProductId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkConnectiontoOMIPorts_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "NetworkConnectiontoOMIPorts_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"parameters": {},
"variables": {},
"resources": [
@@ -7274,7 +544,7 @@
"tags": [
{
"name": "description",
- "value": "This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). \n OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. \n The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) \n as well as a few other logs to look for this activity. The Network normalizing parsers can be deployed in a click using an ARM Template shared in the link below:\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimNetworkSession"
+ "value": "This query detects attempts to exploit OMI vulnerability (CVE-2021-38647) by identifying external IP connections to management ports (5985,5986,1270). It uses the imNetworkSession schema and other logs for this purpose."
},
{
"name": "tactics",
@@ -7290,13 +560,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7321,27 +591,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"contentKind": "HuntingQuery",
"displayName": "Connection from external IP to OMI related Ports",
- "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
- "id": "[variables('_huntingQuerycontentProductId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
+ "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NylonTyphoonCommandLineActivity-Nov2021_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "NylonTyphoonCommandLineActivity-Nov2021_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"parameters": {},
"variables": {},
"resources": [
@@ -7359,7 +629,7 @@
"tags": [
{
"name": "description",
- "value": "This hunting query looks for process command line activity related to data collection and staging observed by Nylon Typhoon.\nIt hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to Nylon Typhoon actor."
+ "value": "This query hunts for Nylon Typhoon-related activity, specifically data collection and staging. It looks for use of tools like xcopy and renamed archiving tools on hosts with observed signatures."
},
{
"name": "tactics",
@@ -7375,13 +645,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7406,27 +676,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"contentKind": "HuntingQuery",
"displayName": "Nylon Typhoon Command Line Activity November 2021",
- "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
- "id": "[variables('_huntingQuerycontentProductId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
+ "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NylonTyphoonRegIOCPatterns_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "NylonTyphoonRegIOCPatterns_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"parameters": {},
"variables": {},
"resources": [
@@ -7460,13 +730,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7491,27 +761,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"contentKind": "HuntingQuery",
"displayName": "Known Nylon Typhoon Registry modifications patterns",
- "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
- "id": "[variables('_huntingQuerycontentProductId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName9')]",
+ "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWindsInventory_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "SolarWindsInventory_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion9')]",
+ "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"parameters": {},
"variables": {},
"resources": [
@@ -7529,7 +799,7 @@
"tags": [
{
"name": "description",
- "value": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes"
+ "value": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This query helps discover any systems that have SolarWinds processes."
},
{
"name": "tactics",
@@ -7545,13 +815,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 9",
- "parentId": "[variables('huntingQueryId9')]",
- "contentId": "[variables('_huntingQuerycontentId9')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion9')]",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7576,27 +846,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId9')]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
"contentKind": "HuntingQuery",
"displayName": "SolarWinds Inventory",
- "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
- "id": "[variables('_huntingQuerycontentProductId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName10')]",
+ "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ForestBlizzard_IOC_RetroHunt_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ForestBlizzard_IOC_RetroHunt_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion10')]",
+ "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"parameters": {},
"variables": {},
"resources": [
@@ -7614,7 +884,7 @@
"tags": [
{
"name": "description",
- "value": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy."
+ "value": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active."
},
{
"name": "tactics",
@@ -7630,13 +900,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]",
"properties": {
"description": "Legacy IOC based Threat Protection Hunting Query 10",
- "parentId": "[variables('huntingQueryId10')]",
- "contentId": "[variables('_huntingQuerycontentId10')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion10')]",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"source": {
"kind": "Solution",
"name": "Legacy IOC based Threat Protection",
@@ -7661,12 +931,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId10')]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"contentKind": "HuntingQuery",
"displayName": "Retrospective hunt for Forest Blizzard IP IOCs",
- "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
- "id": "[variables('_huntingQuerycontentProductId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.2')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.2')))]",
+ "version": "1.0.2"
}
},
{
@@ -7674,12 +944,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Legacy IOC based Threat Protection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.
\nPre-requisites:
\nThis is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
\n\nSquid Proxy
\n \nMicrosoft Windows DNS
\n \nCisco ASA
\n \nPalo Alto Networks
\n \nMicrosoft Defender XDR
\n \nAzure Firewall
\n \nZScaler Internet Access
\n \nInfoblox NIOS
\n \nGoogle Cloud Platform DNS
\n \nNXLog DNS
\n \nCisco Umbrella
\n \nCorelight
\n \nAmazon Web Services
\n \nWindows Forwarded Events
\n \nSysmon for Linux
\n \nMicrosoft 365
\n \nWindows Security Events
\n \nMicrosoft Entra ID
\n \nAzure Activity
\n \nF5 Advanced WAF
\n \nFortinet FortiGate
\n \nCheck Point
\n \nCommon Event Format
\n \nWindows Firewall
\n \n
\nAnalytic Rules: 35, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.
\nPre-requisites:
\nThis is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
\n\nSquid Proxy
\n \nMicrosoft Windows DNS
\n \nCisco ASA
\n \nPalo Alto Networks
\n \nMicrosoft Defender XDR
\n \nAzure Firewall
\n \nZScaler Internet Access
\n \nInfoblox NIOS
\n \nGoogle Cloud Platform DNS
\n \nNXLog DNS
\n \nCisco Umbrella
\n \nCorelight
\n \nAmazon Web Services
\n \nWindows Forwarded Events
\n \nSysmon for Linux
\n \nMicrosoft 365
\n \nWindows Security Events
\n \nMicrosoft Entra ID
\n \nAzure Activity
\n \nF5 Advanced WAF
\n \nFortinet FortiGate
\n \nCheck Point
\n \nCommon Event Format
\n \nWindows Firewall
\n \n
\nHunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -7704,230 +974,55 @@
"dependencies": {
"operator": "AND",
"criteria": [
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId10')]",
- "version": "[variables('analyticRuleVersion10')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId11')]",
- "version": "[variables('analyticRuleVersion11')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId12')]",
- "version": "[variables('analyticRuleVersion12')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId13')]",
- "version": "[variables('analyticRuleVersion13')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId14')]",
- "version": "[variables('analyticRuleVersion14')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId15')]",
- "version": "[variables('analyticRuleVersion15')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId16')]",
- "version": "[variables('analyticRuleVersion16')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId17')]",
- "version": "[variables('analyticRuleVersion17')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId18')]",
- "version": "[variables('analyticRuleVersion18')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId19')]",
- "version": "[variables('analyticRuleVersion19')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId20')]",
- "version": "[variables('analyticRuleVersion20')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId21')]",
- "version": "[variables('analyticRuleVersion21')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId22')]",
- "version": "[variables('analyticRuleVersion22')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId23')]",
- "version": "[variables('analyticRuleVersion23')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId24')]",
- "version": "[variables('analyticRuleVersion24')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId25')]",
- "version": "[variables('analyticRuleVersion25')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId26')]",
- "version": "[variables('analyticRuleVersion26')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId27')]",
- "version": "[variables('analyticRuleVersion27')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId28')]",
- "version": "[variables('analyticRuleVersion28')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId29')]",
- "version": "[variables('analyticRuleVersion29')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId30')]",
- "version": "[variables('analyticRuleVersion30')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId31')]",
- "version": "[variables('analyticRuleVersion31')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId32')]",
- "version": "[variables('analyticRuleVersion32')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId33')]",
- "version": "[variables('analyticRuleVersion33')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId34')]",
- "version": "[variables('analyticRuleVersion34')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId35')]",
- "version": "[variables('analyticRuleVersion35')]"
- },
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]"
}
]
},
diff --git a/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json b/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json
new file mode 100644
index 0000000000..e55ec41a9a
--- /dev/null
+++ b/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
index 7eb92c3724..fcdd84c939 100644
--- a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
+++ b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.0.2 | 12-12-2023 | Removed deprecated **Analytical Rules** |
| 3.0.1 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.0 | 19-05-2023 | Deprecating outdated IOC Based **Analytic Rules** |
diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip
index bee663dcec..082acb92dc 100644
Binary files a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip and b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip differ
diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt
index 5986ffb378..891d37da8a 100644
--- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt
+++ b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt
@@ -4,7 +4,7 @@ azure-storage-file-share==12.3.0
certifi==2023.7.22
cffi==1.16.0
charset-normalizer==3.3.1
-cryptography==41.0.5
+cryptography==41.0.6
idna==3.4
isodate==0.6.1
msrest==0.7.1
diff --git a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
index c9beada92b..4d5ccd9cdb 100644
--- a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
+++ b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
@@ -90,7 +90,8 @@
"EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
- "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
},
{
@@ -180,6 +181,10 @@
"name": "EmailPostDeliveryEvents",
"lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
+ {
+ "name": "UrlClickEvents",
+ "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
{
"name": "IdentityLogonEvents",
"lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json
index 3df31bddc8..e35ad7bdb5 100644
--- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json
+++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json
@@ -30,7 +30,7 @@
"Workbooks/MicrosoftDefenderForIdentity.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
- "Version": "3.0.0",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": true
diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.2.zip b/Solutions/Microsoft Defender XDR/Package/3.0.2.zip
new file mode 100644
index 0000000000..de5d4aa9a4
Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.2.zip differ
diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
index d3211d028e..5e1e4f70f4 100644
--- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
@@ -57,7 +57,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Defender XDR",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "MicrosoftThreatProtection",
@@ -190,7 +190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender XDR data connector with template version 3.0.1",
+ "description": "Microsoft Defender XDR data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -274,7 +274,8 @@
"EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
- "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
},
{
@@ -363,6 +364,10 @@
"name": "EmailPostDeliveryEvents",
"lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
+ {
+ "name": "UrlClickEvents",
+ "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
{
"name": "IdentityLogonEvents",
"lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
@@ -571,6 +576,10 @@
"name": "EmailPostDeliveryEvents",
"lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
+ {
+ "name": "UrlClickEvents",
+ "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
{
"name": "IdentityLogonEvents",
"lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
@@ -620,7 +629,8 @@
"EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
- "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
},
{
@@ -657,7 +667,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -868,7 +878,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -977,7 +987,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1086,7 +1096,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1220,7 +1230,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1372,7 +1382,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1502,7 +1512,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1610,7 +1620,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1727,7 +1737,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1844,7 +1854,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1944,13 +1954,13 @@
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
+ "reopenClosedIncident": false,
"matchingMethod": "Selected",
"enabled": false,
- "reopenClosedIncident": false,
- "lookbackDuration": "5h",
"groupByEntities": [
"Account"
- ]
+ ],
+ "lookbackDuration": "5h"
}
}
}
@@ -2006,7 +2016,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2091,7 +2101,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2176,7 +2186,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2261,7 +2271,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -2346,7 +2356,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO Insights Workbook with template version 3.0.1",
+ "description": "MDO Insights Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -2434,7 +2444,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.1",
+ "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -2509,7 +2519,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.1",
+ "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -2601,7 +2611,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender XDR",
diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
index f69c8eacd1..b0135e2df7 100644
--- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md
+++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------------------|
+| 3.0.2 | 04-12-2023 | Added UrlClickEvents datatype to the solution |
| 3.0.1 | 12-10-2023 | Solution name changed from **Microsoft 365 Defender** to **Microsoft Defender XDR**. |
| 3.0.0 | 26-07-2023 | Updated **Workbook** template to remove unused variables. |
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml
index 68914d08ef..725e803134 100644
--- a/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml
+++ b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml
@@ -36,7 +36,7 @@ query: |
| where TimeGenerated > ago(starttime)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| mv-expand AssignedRoles
- | where AssignedRoles contains 'Admin'
+ | where AssignedRoles contains 'Admin' or GroupMembership has "Admin"
| summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)
| join kind=inner (
table(tableName)
@@ -81,5 +81,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
-version: 1.0.4
+version: 1.1.0
kind: Scheduled
diff --git a/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json b/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json
index 7efa9ce50f..55b26335b9 100644
--- a/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json
+++ b/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json
@@ -62,7 +62,7 @@
"instructionSteps": [
{
"title": "",
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
]
},
diff --git a/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json b/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json
index db7d531a80..0eb1898218 100644
--- a/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json
+++ b/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json
@@ -7,7 +7,7 @@
"Workbooks/OracleWorkbook.json"
],
"Parsers": [
- "Parsers/OracleWebLogicServerEvent.txt"
+ "Parsers/OracleWebLogicServerEvent.yaml"
],
"Hunting Queries": [
"Hunting Queries/OracleWebLogic403RequestsFiles.yaml",
@@ -38,7 +38,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OracleWebLogicServer",
- "Version": "2.0.1",
+ "Version": "3.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/OracleWebLogicServer/Package/3.0.0.zip b/Solutions/OracleWebLogicServer/Package/3.0.0.zip
new file mode 100644
index 0000000000..e41ad37ed6
Binary files /dev/null and b/Solutions/OracleWebLogicServer/Package/3.0.0.zip differ
diff --git a/Solutions/OracleWebLogicServer/Package/createUiDefinition.json b/Solutions/OracleWebLogicServer/Package/createUiDefinition.json
index ce501e8714..b99b562735 100644
--- a/Solutions/OracleWebLogicServer/Package/createUiDefinition.json
+++ b/Solutions/OracleWebLogicServer/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Installation of the OracleWebLogicServer data connector requires installation of a collection agent on the Oracle WebLogic Server where logs are generated. Refer to Oracle Web Logic Server documentation for more information. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for OracleWebLogicServer. You can get OracleWebLogicServer custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the OracleWebLogicServerEvent Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
diff --git a/Solutions/OracleWebLogicServer/Package/mainTemplate.json b/Solutions/OracleWebLogicServer/Package/mainTemplate.json
index 7a116d0d5c..0ffea8df1d 100644
--- a/Solutions/OracleWebLogicServer/Package/mainTemplate.json
+++ b/Solutions/OracleWebLogicServer/Package/mainTemplate.json
@@ -38,162 +38,168 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-oracleweblogicserver",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
+ "_solutionName": "OracleWebLogicServer",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-oracleweblogicserver",
+ "_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "OracleWeblogicServerWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "OracleWebLogicServerEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "parserName1": "OracleWebLogicServer Data Parser",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
- "huntingQueryVersion1": "1.0.0",
- "huntingQuerycontentId1": "5c2f090d-2072-4ad9-a749-394593d7091b",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
- "huntingQueryVersion2": "1.0.0",
- "huntingQuerycontentId2": "419a91d4-5741-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
- "huntingQueryVersion3": "1.0.0",
- "huntingQuerycontentId3": "877125e6-5779-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
- "huntingQueryVersion4": "1.0.0",
- "huntingQuerycontentId4": "41aec744-5778-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
- "huntingQueryVersion5": "1.0.0",
- "huntingQuerycontentId5": "34d32bf0-5741-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
- "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
- "huntingQueryVersion6": "1.0.0",
- "huntingQuerycontentId6": "0a58d21c-5741-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
- "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
- "huntingQueryVersion7": "1.0.0",
- "huntingQuerycontentId7": "f917b23e-5740-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
- "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
- "huntingQueryVersion8": "1.0.0",
- "huntingQuerycontentId8": "e6c42fe0-5740-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
- "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
- "huntingQueryVersion9": "1.0.0",
- "huntingQuerycontentId9": "b89b3474-5740-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
- "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]",
- "huntingQueryVersion10": "1.0.0",
- "huntingQuerycontentId10": "a5767caa-5740-11ec-bf63-0242ac130002",
- "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
- "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','OracleWebLogicServer Data Parser')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OracleWebLogicServerEvent-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "OracleWebLogicServerEvent-Parser"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "5c2f090d-2072-4ad9-a749-394593d7091b",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5c2f090d-2072-4ad9-a749-394593d7091b')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.0",
+ "_huntingQuerycontentId2": "419a91d4-5741-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('419a91d4-5741-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "877125e6-5779-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('877125e6-5779-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.0",
+ "_huntingQuerycontentId4": "41aec744-5778-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('41aec744-5778-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.0",
+ "_huntingQuerycontentId5": "34d32bf0-5741-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('34d32bf0-5741-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "1.0.0",
+ "_huntingQuerycontentId6": "0a58d21c-5741-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a58d21c-5741-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "1.0.0",
+ "_huntingQuerycontentId7": "f917b23e-5740-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f917b23e-5740-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "1.0.0",
+ "_huntingQuerycontentId8": "e6c42fe0-5740-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e6c42fe0-5740-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject9": {
+ "huntingQueryVersion9": "1.0.0",
+ "_huntingQuerycontentId9": "b89b3474-5740-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b89b3474-5740-11ec-bf63-0242ac130002')))]"
+ },
+ "huntingQueryObject10": {
+ "huntingQueryVersion10": "1.0.0",
+ "_huntingQuerycontentId10": "a5767caa-5740-11ec-bf63-0242ac130002",
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a5767caa-5740-11ec-bf63-0242ac130002')))]"
+ },
"uiConfigId1": "OracleWebLogicServer",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "OracleWebLogicServer",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.1",
- "analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.0.1",
- "analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.0.1",
- "analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.0.0",
- "analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
- "analyticRuleVersion10": "1.0.1",
- "analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]"
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.1",
+ "_analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ae36a5e-573f-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ae36a5e-573f-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.1",
+ "_analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44c7d12a-573f-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44c7d12a-573f-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.1",
+ "_analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67950168-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67950168-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.1",
+ "_analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '51d050ee-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('51d050ee-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.1",
+ "_analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '41775080-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('41775080-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.1",
+ "_analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '268f4fde-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('268f4fde-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.0.1",
+ "_analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '153ce6d8-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('153ce6d8-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.0",
+ "_analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '033e98d2-5740-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('033e98d2-5740-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.0')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.0.1",
+ "_analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edc2f2b4-573f-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edc2f2b4-573f-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.0.1",
+ "_analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cc9ed36-573f-11ec-bf63-0242ac130002')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cc9ed36-573f-11ec-bf63-0242ac130002')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+ },
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "OracleWebLogicServer Workbook with template",
- "displayName": "OracleWebLogicServer workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWorkbookWorkbook Workbook with template version 2.0.1",
+ "description": "OracleWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -258,59 +264,53 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('parserTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
- "properties": {
- "description": "OracleWebLogicServerEvent Data Parser with template",
- "displayName": "OracleWebLogicServerEvent Data Parser template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicServerEvent Data Parser with template version 2.0.1",
+ "description": "OracleWebLogicServerEvent Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "name": "[variables('parserObject1')._parserName1]",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "OracleWebLogicServer Data Parser",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "OracleWebLogicServerEvent",
- "query": "\nlet owl_serverlog =() {\r\nOracleWebLogicServer_CL\r\n| where RawData startswith \"####\"\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'ServerLog'\r\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\r\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\r\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\r\n| extend EventSeverity = tostring(EventData[1])\r\n| extend Subsystem = tostring(EventData[2])\r\n| extend DvcHostname = tostring(EventData[3])\r\n| extend SrcDvcHostname = tostring(EventData[4])\r\n| extend TreadId = tostring(EventData[5])\r\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\r\n| extend TransactionId = tostring(EventData[7])\r\n| extend DiagnosticContextId = tostring(EventData[8])\r\n| extend RawTimeValue = tostring(EventData[9])\r\n| extend EventOriginalUid = tostring(EventData[10])\r\n| extend EventMessage = tostring(EventData[11])\r\n};\r\nlet owl_accesslog=() {\r\nOracleWebLogicServer_CL\r\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'AccessLog'\r\n| extend EventData = split(RawData, '\"')\r\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\r\n| extend SubEventData1 = split(EventData[1], ' ')\r\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\r\n| extend SrcIpAddr = tostring(SubEventData0[0])\r\n| extend ClientIdentity = tostring(SubEventData0[1])\r\n| extend SrcUserName = tostring(SubEventData0[2])\r\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\r\n| extend HttpRequestMethod = tostring(SubEventData1[0])\r\n| extend UrlOriginal = tostring(SubEventData1[1])\r\n| extend HttpVersion = tostring(SubEventData1[2])\r\n| extend HttpStatusCode = toint(SubEventData2[0])\r\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\r\n| extend HttpReferrerOriginal = tostring(EventData[3])\r\n| extend HttpUserAgentOriginal = tostring(EventData[5])\r\n};\r\nunion isfuzzy=true owl_serverlog, owl_accesslog\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventType\r\n , EventStartTime\r\n , DvcTimeZone\r\n , EventSeverity\r\n , Subsystem\r\n , DvcHostname\r\n , SrcDvcHostname\r\n , TreadId\r\n , SrcUserName\r\n , TransactionId\r\n , DiagnosticContextId\r\n , RawTimeValue\r\n , EventOriginalUid\r\n , EventMessage\r\n , SrcIpAddr\r\n , ClientIdentity\r\n , HttpRequestMethod\r\n , UrlOriginal\r\n , HttpVersion\r\n , HttpStatusCode\r\n , HttpResponseBodyBytes\r\n , HttpReferrerOriginal\r\n , HttpUserAgentOriginal\r\n",
- "version": 1,
+ "query": "let owl_serverlog =() {\nOracleWebLogicServer_CL\n| where RawData startswith \"####\"\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'ServerLog'\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\n| extend EventSeverity = tostring(EventData[1])\n| extend Subsystem = tostring(EventData[2])\n| extend DvcHostname = tostring(EventData[3])\n| extend SrcDvcHostname = tostring(EventData[4])\n| extend ThreadId = tostring(EventData[5])\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\n| extend TransactionId = tostring(EventData[7])\n| extend DiagnosticContextId = tostring(EventData[8])\n| extend RawTimeValue = tostring(EventData[9])\n| extend EventOriginalUid = tostring(EventData[10])\n| extend EventMessage = tostring(EventData[11])\n};\nlet owl_accesslog=() {\nOracleWebLogicServer_CL\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = tostring(SubEventData0[1])\n| extend SrcUserName = tostring(SubEventData0[2])\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = tostring(SubEventData1[0])\n| extend UrlOriginal = tostring(SubEventData1[1])\n| extend HttpVersion = tostring(SubEventData1[2])\n| extend HttpStatusCode = toint(SubEventData2[0])\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\n| extend HttpReferrerOriginal = tostring(EventData[3])\n| extend HttpUserAgentOriginal = tostring(EventData[5])\n};\nunion isfuzzy=true owl_serverlog, owl_accesslog\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventType\n , EventStartTime\n , DvcTimeZone\n , EventSeverity\n , Subsystem\n , DvcHostname\n , SrcDvcHostname\n , ThreadId\n , SrcUserName\n , TransactionId\n , DiagnosticContextId\n , RawTimeValue\n , EventOriginalUid\n , EventMessage\n , SrcIpAddr\n , ClientIdentity\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "OracleWebLogicServer Data Parser"
+ "value": ""
}
]
}
@@ -318,15 +318,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "OracleWebLogicServer",
"kind": "Solution",
@@ -345,36 +345,54 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "contentKind": "Parser",
+ "displayName": "OracleWebLogicServer Data Parser",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
- "name": "[variables('_parserName1')]",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "OracleWebLogicServer Data Parser",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "OracleWebLogicServerEvent",
- "query": "\nlet owl_serverlog =() {\r\nOracleWebLogicServer_CL\r\n| where RawData startswith \"####\"\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'ServerLog'\r\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\r\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\r\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\r\n| extend EventSeverity = tostring(EventData[1])\r\n| extend Subsystem = tostring(EventData[2])\r\n| extend DvcHostname = tostring(EventData[3])\r\n| extend SrcDvcHostname = tostring(EventData[4])\r\n| extend TreadId = tostring(EventData[5])\r\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\r\n| extend TransactionId = tostring(EventData[7])\r\n| extend DiagnosticContextId = tostring(EventData[8])\r\n| extend RawTimeValue = tostring(EventData[9])\r\n| extend EventOriginalUid = tostring(EventData[10])\r\n| extend EventMessage = tostring(EventData[11])\r\n};\r\nlet owl_accesslog=() {\r\nOracleWebLogicServer_CL\r\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'AccessLog'\r\n| extend EventData = split(RawData, '\"')\r\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\r\n| extend SubEventData1 = split(EventData[1], ' ')\r\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\r\n| extend SrcIpAddr = tostring(SubEventData0[0])\r\n| extend ClientIdentity = tostring(SubEventData0[1])\r\n| extend SrcUserName = tostring(SubEventData0[2])\r\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\r\n| extend HttpRequestMethod = tostring(SubEventData1[0])\r\n| extend UrlOriginal = tostring(SubEventData1[1])\r\n| extend HttpVersion = tostring(SubEventData1[2])\r\n| extend HttpStatusCode = toint(SubEventData2[0])\r\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\r\n| extend HttpReferrerOriginal = tostring(EventData[3])\r\n| extend HttpUserAgentOriginal = tostring(EventData[5])\r\n};\r\nunion isfuzzy=true owl_serverlog, owl_accesslog\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventType\r\n , EventStartTime\r\n , DvcTimeZone\r\n , EventSeverity\r\n , Subsystem\r\n , DvcHostname\r\n , SrcDvcHostname\r\n , TreadId\r\n , SrcUserName\r\n , TransactionId\r\n , DiagnosticContextId\r\n , RawTimeValue\r\n , EventOriginalUid\r\n , EventMessage\r\n , SrcIpAddr\r\n , ClientIdentity\r\n , HttpRequestMethod\r\n , UrlOriginal\r\n , HttpVersion\r\n , HttpStatusCode\r\n , HttpResponseBodyBytes\r\n , HttpReferrerOriginal\r\n , HttpUserAgentOriginal\r\n",
- "version": 1
+ "query": "let owl_serverlog =() {\nOracleWebLogicServer_CL\n| where RawData startswith \"####\"\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'ServerLog'\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\n| extend EventSeverity = tostring(EventData[1])\n| extend Subsystem = tostring(EventData[2])\n| extend DvcHostname = tostring(EventData[3])\n| extend SrcDvcHostname = tostring(EventData[4])\n| extend ThreadId = tostring(EventData[5])\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\n| extend TransactionId = tostring(EventData[7])\n| extend DiagnosticContextId = tostring(EventData[8])\n| extend RawTimeValue = tostring(EventData[9])\n| extend EventOriginalUid = tostring(EventData[10])\n| extend EventMessage = tostring(EventData[11])\n};\nlet owl_accesslog=() {\nOracleWebLogicServer_CL\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = tostring(SubEventData0[1])\n| extend SrcUserName = tostring(SubEventData0[2])\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = tostring(SubEventData1[0])\n| extend UrlOriginal = tostring(SubEventData1[1])\n| extend HttpVersion = tostring(SubEventData1[2])\n| extend HttpStatusCode = toint(SubEventData2[0])\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\n| extend HttpReferrerOriginal = tostring(EventData[3])\n| extend HttpUserAgentOriginal = tostring(EventData[5])\n};\nunion isfuzzy=true owl_serverlog, owl_accesslog\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventType\n , EventStartTime\n , DvcTimeZone\n , EventSeverity\n , Subsystem\n , DvcHostname\n , SrcDvcHostname\n , ThreadId\n , SrcUserName\n , TransactionId\n , DiagnosticContextId\n , RawTimeValue\n , EventOriginalUid\n , EventMessage\n , SrcIpAddr\n , ClientIdentity\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -393,42 +411,24 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 1 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogic403RequestsFiles_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogic403RequestsFiles_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -456,13 +456,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -481,46 +481,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 2 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Request to forbidden files",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicAbnormalRequestSize_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicAbnormalRequestSize_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -548,13 +541,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -573,46 +566,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 3 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Abnormal request size",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicCriticalEventSeverity_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicCriticalEventSeverity_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -640,13 +626,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -665,46 +651,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 4 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Critical event severity",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicErrors_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicErrors_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -732,13 +711,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -757,46 +736,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 5 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Error messages",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicFilesErrorRequests_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicFilesErrorRequests_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -824,13 +796,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -849,46 +821,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 6 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Top files requested by users with error",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicRareUAWithClientErrors_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicRareUAWithClientErrors_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -916,13 +881,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -941,46 +906,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 7 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Rare user agents with client errors",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicRareURLsRequested_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicRareURLsRequested_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1008,13 +966,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1033,46 +991,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 8 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Rare URLs requested",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicUncommonUserAgents_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicUncommonUserAgents_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1100,13 +1051,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1125,46 +1076,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName9')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 9 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Rare user agents",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicUrlClienterrors_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicUrlClienterrors_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion9')]",
+ "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_9",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1192,13 +1136,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 9",
- "parentId": "[variables('huntingQueryId9')]",
- "contentId": "[variables('_huntingQuerycontentId9')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion9')]",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1217,46 +1161,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName10')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "OracleWebLogicServer Hunting Query 10 with template",
- "displayName": "OracleWebLogicServer Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Top URLs client errors",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicUrlServerErrors_HuntingQueries Hunting Query with template version 2.0.1",
+ "description": "OracleWebLogicUrlServerErrors_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion10')]",
+ "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "OracleWebLogicServer_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1284,13 +1221,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]",
"properties": {
"description": "OracleWebLogicServer Hunting Query 10",
- "parentId": "[variables('huntingQueryId10')]",
- "contentId": "[variables('_huntingQuerycontentId10')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion10')]",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1309,37 +1246,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Oracle - Top URLs server errors",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "OracleWebLogicServer data connector with template",
- "displayName": "OracleWebLogicServer template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicServer data connector with template version 2.0.1",
+ "description": "OracleWebLogicServer data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1355,7 +1285,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Oracle WebLogic Server",
+ "title": "Oracle WebLogic Server (using Azure Functions)",
"publisher": "Oracle",
"descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -1416,7 +1346,7 @@
},
"instructionSteps": [
{
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install the agent on the Oracle WebLogic Server where the logs are generated.\n\n> Logs from Oracle WebLogic Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
@@ -1513,7 +1443,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -1538,12 +1468,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Oracle WebLogic Server (using Azure Functions)",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -1579,7 +1520,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Oracle WebLogic Server",
+ "title": "Oracle WebLogic Server (using Azure Functions)",
"publisher": "Oracle",
"descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
"graphQueries": [
@@ -1639,7 +1580,7 @@
},
"instructionSteps": [
{
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install the agent on the Oracle WebLogic Server where the logs are generated.\n\n> Logs from Oracle WebLogic Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
@@ -1737,42 +1678,24 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 1 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicCommandInURI_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicCommandInURI_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1791,10 +1714,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -1806,13 +1729,13 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -1820,13 +1743,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1845,46 +1768,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 2 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Command in URI",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1903,10 +1819,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -1918,13 +1834,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1932,13 +1848,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -1957,46 +1873,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 3 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Multiple user agents for single source",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicExploitCVE-2021-2109_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicExploitCVE-2021-2109_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2015,10 +1924,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2029,13 +1938,13 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -2043,13 +1952,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2068,46 +1977,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 4 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Oracle WebLogic Exploit CVE-2021-2109",
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicKnownMaliciousUserAgents_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicKnownMaliciousUserAgents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2126,10 +2028,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2141,13 +2043,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2155,13 +2057,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2180,46 +2082,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 5 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Malicious user agent",
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2238,10 +2133,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2253,13 +2148,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2267,13 +2162,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2292,46 +2187,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 6 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Multiple client errors from single IP",
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicMultipleServerErrorsRequestsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicMultipleServerErrorsRequestsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2350,10 +2238,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2367,13 +2255,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2381,13 +2269,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2406,46 +2294,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 7 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Multiple server errors from single IP",
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicPrivateIpInUrl_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicPrivateIpInUrl_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId7')]",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2464,10 +2345,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2479,22 +2360,22 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2502,13 +2383,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2527,46 +2408,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 8 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Private IP in URL",
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId8')]",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2585,10 +2459,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2600,22 +2474,22 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -2623,13 +2497,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2648,46 +2522,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 9 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Put file and get file from same IP address",
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicPutSuspiciousFiles_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicPutSuspiciousFiles_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId9')]",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2706,10 +2573,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2723,31 +2590,31 @@
],
"entityMappings": [
{
+ "entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "FileCustomEntity"
}
- ],
- "entityType": "File"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2755,13 +2622,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2780,46 +2647,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "OracleWebLogicServer Analytics Rule 10 with template",
- "displayName": "OracleWebLogicServer Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Put suspicious file",
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleWebLogicRequestToSensitiveFiles_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "OracleWebLogicRequestToSensitiveFiles_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId10')]",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2838,10 +2698,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
- ]
+ ],
+ "connectorId": "OracleWebLogicServer"
}
],
"tactics": [
@@ -2852,22 +2712,22 @@
],
"entityMappings": [
{
+ "entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "FileCustomEntity"
}
- ],
- "entityType": "File"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -2875,13 +2735,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
"description": "OracleWebLogicServer Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "OracleWebLogicServer",
@@ -2900,17 +2760,35 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Oracle - Request to sensitive files",
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "OracleWebLogicServer",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Oracle WebLogic Server solution for Microsoft Sentinel provides the capability to ingest Oracle Web Logic Server events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor HTTP Data Collector API
\n
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -2938,58 +2816,58 @@
},
{
"kind": "Parser",
- "contentId": "[variables('_parserContentId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "version": "[variables('parserObject1').parserVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]"
},
{
"kind": "DataConnector",
@@ -2998,53 +2876,53 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
]
},
diff --git a/Solutions/OracleWebLogicServer/Package/testParameters.json b/Solutions/OracleWebLogicServer/Package/testParameters.json
new file mode 100644
index 0000000000..5187368f6d
--- /dev/null
+++ b/Solutions/OracleWebLogicServer/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Oracle WebLogic Server",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt
deleted file mode 100644
index 232cce9e5b..0000000000
--- a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt
+++ /dev/null
@@ -1,72 +0,0 @@
-// This function parses Oracle WebLogic Server server.log and access.log
-// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-let owl_serverlog =() {
-OracleWebLogicServer_CL
-| where RawData startswith "####"
-| extend EventVendor = "Oracle"
-| extend EventProduct = 'Oracle WebLogic Server'
-| extend EventType = 'ServerLog'
-| extend EventData = extract_all(@"<(.*?)>", RawData)
-| extend EventStartTime = todatetime(replace(@',\d+', @'', replace(@'(\s\d{1,2}),', @'\1', extract(@'\A(.*(PM|AM))', 1, tostring(EventData[0])))))
-| extend DvcTimeZone = extract(@'\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))
-| extend EventSeverity = tostring(EventData[1])
-| extend Subsystem = tostring(EventData[2])
-| extend DvcHostname = tostring(EventData[3])
-| extend SrcDvcHostname = tostring(EventData[4])
-| extend TreadId = tostring(EventData[5])
-| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))
-| extend TransactionId = tostring(EventData[7])
-| extend DiagnosticContextId = tostring(EventData[8])
-| extend RawTimeValue = tostring(EventData[9])
-| extend EventOriginalUid = tostring(EventData[10])
-| extend EventMessage = tostring(EventData[11])
-};
-let owl_accesslog=() {
-OracleWebLogicServer_CL
-| where RawData matches regex @'\A\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*\[.*\]\s\"(GET|POST)'
-| extend EventVendor = "Oracle"
-| extend EventProduct = 'Oracle WebLogic Server'
-| extend EventType = 'AccessLog'
-| extend EventData = split(RawData, '"')
-| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')
-| extend SubEventData1 = split(EventData[1], ' ')
-| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')
-| extend SrcIpAddr = tostring(SubEventData0[0])
-| extend ClientIdentity = tostring(SubEventData0[1])
-| extend SrcUserName = tostring(SubEventData0[2])
-| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)(\-|\+)\d+\]', 1, RawData))))
-| extend HttpRequestMethod = tostring(SubEventData1[0])
-| extend UrlOriginal = tostring(SubEventData1[1])
-| extend HttpVersion = tostring(SubEventData1[2])
-| extend HttpStatusCode = toint(SubEventData2[0])
-| extend HttpResponseBodyBytes = toint(SubEventData2[1])
-| extend HttpReferrerOriginal = tostring(EventData[3])
-| extend HttpUserAgentOriginal = tostring(EventData[5])
-};
-union isfuzzy=true owl_serverlog, owl_accesslog
-| project TimeGenerated
- , EventVendor
- , EventProduct
- , EventType
- , EventStartTime
- , DvcTimeZone
- , EventSeverity
- , Subsystem
- , DvcHostname
- , SrcDvcHostname
- , TreadId
- , SrcUserName
- , TransactionId
- , DiagnosticContextId
- , RawTimeValue
- , EventOriginalUid
- , EventMessage
- , SrcIpAddr
- , ClientIdentity
- , HttpRequestMethod
- , UrlOriginal
- , HttpVersion
- , HttpStatusCode
- , HttpResponseBodyBytes
- , HttpReferrerOriginal
- , HttpUserAgentOriginal
diff --git a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml
index d134fd3b71..0f8d6ba105 100644
--- a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml
+++ b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml
@@ -20,7 +20,7 @@ FunctionQuery: |
| extend Subsystem = tostring(EventData[2])
| extend DvcHostname = tostring(EventData[3])
| extend SrcDvcHostname = tostring(EventData[4])
- | extend TreadId = tostring(EventData[5])
+ | extend ThreadId = tostring(EventData[5])
| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))
| extend TransactionId = tostring(EventData[7])
| extend DiagnosticContextId = tostring(EventData[8])
@@ -61,7 +61,7 @@ FunctionQuery: |
, Subsystem
, DvcHostname
, SrcDvcHostname
- , TreadId
+ , ThreadId
, SrcUserName
, TransactionId
, DiagnosticContextId
diff --git a/Solutions/OracleWebLogicServer/ReleaseNotes.md b/Solutions/OracleWebLogicServer/ReleaseNotes.md
new file mode 100644
index 0000000000..93073e71e4
--- /dev/null
+++ b/Solutions/OracleWebLogicServer/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|------------------------------------------------------------------------------|
+| 3.0.0 | 15-12-2023 | Updated the **Parser** field TreadId to ThreadId |
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip
index a3e786bfd3..9f1e61db92 100644
Binary files a/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip and b/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip differ
diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
index 27926a28b3..36f7b8965c 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
@@ -61,18 +61,16 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "huntingQueryVersion1": "1.0.0",
- "huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "huntingQueryVersion2": "1.0.2",
- "huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
- "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.2",
+ "_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]"
+ },
"workbookVersion1": "1.2.0",
"workbookContentId1": "PaloAltoOverviewWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -86,30 +84,34 @@
"workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.3.1",
- "analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.2",
- "analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.2",
- "analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.3.1",
+ "_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.1')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.2",
+ "_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.2')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.2",
+ "_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.2')))]"
+ },
"PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"TemplateEmptyArray": "[json('[]')]",
@@ -152,6 +154,7 @@
"_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"PaloAlto-PAN-OS-BlockIP": "PaloAlto-PAN-OS-BlockIP",
"_PaloAlto-PAN-OS-BlockIP": "[variables('PaloAlto-PAN-OS-BlockIP')]",
+ "TemplateEmptyObject": "[json('{}')]",
"playbookVersion6": "1.0",
"playbookContentId6": "PaloAlto-PAN-OS-BlockIP",
"_playbookContentId6": "[variables('playbookContentId6')]",
@@ -545,7 +548,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -554,7 +557,7 @@
"description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
@@ -584,13 +587,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -615,18 +618,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - high-risk ports",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -635,7 +638,7 @@
"description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
@@ -669,13 +672,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -700,12 +703,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - potential beaconing detected",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]",
+ "version": "1.0.2"
}
},
{
@@ -717,7 +720,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoOverviewWorkbook Workbook with template version 3.0.0",
+ "description": "PaloAltoOverview Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -805,7 +808,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoNetworkThreatWorkbook Workbook with template version 3.0.0",
+ "description": "PaloAltoNetworkThreat Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -887,7 +890,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -896,13 +899,13 @@
"description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -921,10 +924,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "PaloAltoNetworks"
+ ]
}
],
"tactics": [
@@ -939,13 +942,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIP"
+ "columnName": "SourceIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -953,13 +956,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -984,18 +987,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto Threat signatures from Unusual IP addresses",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1004,13 +1007,13 @@
"description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1029,10 +1032,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "PaloAltoNetworks"
+ ]
}
],
"tactics": [
@@ -1040,44 +1043,44 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "FileHash",
"fieldMappings": [
{
- "identifier": "Value",
- "columnName": "FileHashValue"
+ "columnName": "FileHashValue",
+ "identifier": "Value"
},
{
- "identifier": "Algorithm",
- "columnName": "FileHashType"
+ "columnName": "FileHashType",
+ "identifier": "Algorithm"
}
- ],
- "entityType": "FileHash"
+ ]
}
]
}
@@ -1085,13 +1088,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -1116,18 +1119,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "Microsoft COVID-19 file hash indicator matches",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1136,13 +1139,13 @@
"description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1161,10 +1164,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "PaloAltoNetworks"
+ ]
}
],
"tactics": [
@@ -1176,31 +1179,31 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1208,13 +1211,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -1239,18 +1242,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto - potential beaconing detected",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1259,13 +1262,13 @@
"description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1284,10 +1287,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "PaloAltoNetworks"
+ ]
}
],
"tactics": [
@@ -1298,31 +1301,31 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1330,13 +1333,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
@@ -1361,12 +1364,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto - possible internal to external port scanning",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
@@ -5575,7 +5578,8 @@
},
"type": "AppendToArrayVariable",
"inputs": {
- "name": "AdaptiveCardBody"
+ "name": "AdaptiveCardBody",
+ "value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the IP address is exist"
}
@@ -6728,7 +6732,8 @@
},
"type": "AppendToArrayVariable",
"inputs": {
- "name": "AdaptiveCardBody"
+ "name": "AdaptiveCardBody",
+ "value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the URL address is exist"
}
@@ -7859,7 +7864,8 @@
},
"type": "AppendToArrayVariable",
"inputs": {
- "name": "AdaptiveCardBody"
+ "name": "AdaptiveCardBody",
+ "value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the URL address is exist"
}
@@ -8962,7 +8968,8 @@
},
"type": "AppendToArrayVariable",
"inputs": {
- "name": "AdaptiveCardBody"
+ "name": "AdaptiveCardBody",
+ "value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the IP address is exist"
}
@@ -9523,13 +9530,13 @@
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "Workbook",
@@ -9543,23 +9550,23 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "LogicAppsCustomConnector",
diff --git a/Solutions/PaloAlto-PAN-OS/Package/testParameters.json b/Solutions/PaloAlto-PAN-OS/Package/testParameters.json
new file mode 100644
index 0000000000..2b232aa407
--- /dev/null
+++ b/Solutions/PaloAlto-PAN-OS/Package/testParameters.json
@@ -0,0 +1,40 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Palo Alto overview",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "workbook2-name": {
+ "type": "string",
+ "defaultValue": "Palo Alto Network Threat",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json
index 85de002f05..ed9ac8a7d3 100644
--- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json
+++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.",
"title": "PaloAlto-PAN-OS-BlockURL",
"description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.",
- "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."],
+ "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."],
"lastUpdateTime": "2023-05-30T00:00:00.000Z",
"entities": ["Url"],
"prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_Rest_API_CustomConnector/azuredeploy.json",
diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
index d47a636115..7e42a6ec10 100644
--- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
+++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 06-10-2023 | Fixed **Playbooks** issue |
\ No newline at end of file
+| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue |
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip
index ca8377b487..f2b2f0456f 100644
Binary files a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip and b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip differ
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
index 18937c93c7..d6f5cd738c 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
@@ -155,7 +155,7 @@
"alwaysOn": true,
"reserved": true,
"siteConfig": {
- "linuxFxVersion": "python|3.8"
+ "linuxFxVersion": "python|3.9"
}
},
"resources": [
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt
index eaa2c3a65a..24d73bd5bb 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt
@@ -2,6 +2,6 @@
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
-azure-functions
-azure-functions-durable
-requests
\ No newline at end of file
+azure-functions==1.14.0
+azure-functions-durable==1.2.3
+requests==2.31.0
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml
index 891c8035c7..8cf4a93e84 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml
@@ -30,6 +30,13 @@ query: |
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml
index b998b344af..d5755fc9c0 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "DCShadow"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml
index 00fec99e8b..780b01c55d 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "DCSync"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml
index 5dc91bf94e..dbd430f305 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "Golden Ticket"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml
index 200a8f1f54..5446adb10a 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml
@@ -29,6 +29,13 @@ query: |
| where MessageType == 2
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml
index 7c27db2311..9899a81d26 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml
@@ -29,6 +29,13 @@ query: |
| where MessageType == 0
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
index b7eccbe503..8949b88fa6 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml
index 6f11e512a4..e6b14f68e9 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "Password Guessing"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml
index 292e80cb5c..32eeedfe27 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml
@@ -30,6 +30,13 @@ query: |
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
index 83cceb632f..abd5c6c230 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
@@ -21,6 +21,13 @@ query: |
// Then, create the Kusto Function with alias afad_parser
afad_parser
| where MessageType == 2 and Codename == "Password Spraying"
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml
index 74c52de853..c824368207 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml
@@ -30,6 +30,13 @@ query: |
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml
index 4655dd7be8..a8eaa4a644 100644
--- a/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml
+++ b/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml
@@ -30,6 +30,13 @@ query: |
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
-entityMappings: null
-version: 1.0.0
+ | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
+entityMappings:
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: DnsDomain
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml
index 0e07756ac0..688339a944 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml
@@ -1,7 +1,7 @@
id: dd0a6029-ecef-4507-89c4-fc355ac52111
-name: TI map Domain entity to CommonSecurityLog
+name: TI map Domain entity to PaloAlto CommonSecurityLog
description: |
- Identifies a match in CommonSecurityLog table from any Domain IOC from TI
+ Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
@@ -23,35 +23,8 @@ query: |
let dt_lookBack = 1h; // Look back 1 hour
let ioc_lookBack = 14d; // Look back 14 days
// Create a list of top-level domains (TLDs) from the threat feed data for later validation
- let list_tlds =
- ThreatIntelligenceIndicator
- // Filter indicators based on the specified time range and active indicators
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
- | where isnotempty(DomainName)
- // Convert domain names to lowercase for consistency
- | extend DomainName = tolower(DomainName)
- // Split domain names into parts and extract the TLD
- | extend parts = split(DomainName, '.')
- | extend tld = parts[(array_length(parts) - 1)]
- // Count the occurrences of each TLD
- | summarize count() by tostring(tld)
- // Create a list of TLDs
- | summarize make_list(tld);
- // Retrieve threat intelligence indicators within the specified time range
- let Domain_Indicators =
- ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
- // Filter indicators that have a non-empty domain name
- | where isnotempty(DomainName)
- | extend TI_DomainEntity = DomainName;
- // Join threat intelligence indicators with common security logs
- Domain_Indicators
- | join kind=innerunique (
- CommonSecurityLog
+ let SecurityLog = materialize(
+ CommonSecurityLog
// Filter common security logs based on the specified time range
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(dt_lookBack)
@@ -65,12 +38,20 @@ query: |
| extend Domain = trim('"', tostring(parse_url(PA_Url).Host))
| where isnotempty(Domain)
| extend Domain = tolower(Domain)
- | extend parts = split(Domain, '.')
- | extend tld = parts[(array_length(parts) - 1)]
- // Validate parsed domain by checking if the TLD is in the threat feed's TLD list
- | where tld in~ (list_tlds)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
- ) on $left.TI_DomainEntity == $right.Domain
+ );
+ let LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);
+ // Retrieve threat intelligence indicators within the specified time range
+ let Domain_Indicators = materialize(
+ ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_DomainEntity = tolower(DomainName)
+ | where TI_DomainEntity in (LogDomains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now());
+ // Join threat intelligence indicators with common security logs
+ Domain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain
| where CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId
| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity
@@ -88,5 +69,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: PA_Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml
new file mode 100644
index 0000000000..09784fa9eb
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml
@@ -0,0 +1,72 @@
+id: c308b2f3-eebe-4a20-905c-cb8293b062db
+name: TI Map Domain Entity to DeviceNetworkEvents
+description: |
+ 'This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceNetworkEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let DeviceNetworkEvents_ = DeviceNetworkEvents
+ | where isnotempty(RemoteUrl)
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where ActionType !has "ConnectionFailed"
+ | extend Domain = tostring(parse_url(tolower(RemoteUrl)).Host)
+ | where isnotempty(Domain)
+ | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;
+ let DeviceNetworkEventDomains = DeviceNetworkEvents_
+ | distinct Domain
+ | summarize make_list(Domain);
+ ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_Domain = tolower(DomainName)
+ | where TI_Domain in (DeviceNetworkEventDomains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (DeviceNetworkEvents_) on $left.TI_Domain == $right.Domain
+ | where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime
+ | summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, TI_Domain
+ | project DeviceNetworkEvents_TimeGenerated, IndicatorId, TI_Domain, Url = RemoteUrl, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort
+ | extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])
+ | extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: Host
+ fieldMappings:
+ - identifier: FullName
+ columnName: DeviceName
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+ - entityType: Process
+ fieldMappings:
+ - identifier: CommandLine
+ columnName: InitiatingProcessCommandLine
+version: 1.0.0
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml
index 26bb96db16..36fdfff3e2 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml
@@ -28,11 +28,11 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to domains
let Domain_Indicators = ThreatIntelligenceIndicator
+ // Filter out indicators without domain names
+ | where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
- // Filter out indicators without domain names
- | where isnotempty(DomainName)
| extend TI_DomainEntity = DomainName;
// Create a list of TLDs in our threat feed for later validation
let maxListSize = 100000; // Define the maximum allowed size for each list
@@ -81,5 +81,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml
new file mode 100644
index 0000000000..96ab3a9ff0
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml
@@ -0,0 +1,55 @@
+id: 96307710-8bb9-4b45-8363-a90c72ebf86f
+name: TI map Domain entity to EmailEvents
+description: |
+ 'Identifies a match in EmailEvents table from any Domain IOC from TI'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: Office365
+ dataTypes:
+ - EmailEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has "Blocked" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromDomain = tolower(SenderFromDomain) | extend RecipientEmailDomain = tolower(tostring(split(RecipientEmailAddress, '@', 1))));
+ let SenderDomains = EmailEvents_ | distinct SenderFromDomain | summarize make_list(SenderFromDomain);
+ let RecipientDomains = EmailEvents_ | distinct RecipientEmailDomain | summarize make_list(RecipientEmailDomain);
+ let TI = materialize(ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where isnotempty(DomainName)
+ | extend TI_Domain = tolower(DomainName)
+ | where TI_Domain in (SenderDomains) or TI_Domain in (RecipientDomains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;");
+ (union
+ (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.SenderFromDomain),
+ (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.RecipientEmailDomain))
+ | where EmailEvents_TimeGenerated < ExpirationDateTime
+ | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress
+ | project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_Domain, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection
+ | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])
+ | extend timestamp = EmailEvents_TimeGenerated
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml
new file mode 100644
index 0000000000..e15544a83c
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml
@@ -0,0 +1,76 @@
+id: 87cc75df-d7b2-44f1-b064-ee924edfc879
+name: TI map Domain entity to EmailUrlInfo
+description: |
+ 'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: Office365
+ dataTypes:
+ - EmailUrlInfo
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let EmailUrlInfo_ = materialize(EmailUrlInfo
+ | where isnotempty(UrlDomain)
+ | where TimeGenerated > ago(dt_lookBack)
+ | project-rename Email_Url = Url);
+ let Domains = EmailUrlInfo_
+ | distinct UrlDomain
+ | summarize make_list(UrlDomain);
+ let Candidates = ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_Domain = tolower(DomainName)
+ | where TI_Domain in (Domains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain
+ | join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId
+ | where DeliveryLocation !has "Quarantine"
+ // Customize and uncomment the following line to remove security related mailboxes
+ //| where tolower(RecipientEmailAddress) !in ("secmailbox1@example.com", "secmailbox2@example.com")
+ | where EmailEvents_TimeGenerated < ExpirationDateTime
+ | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress;
+ let Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain);
+ ThreatIntelligenceIndicator
+ | where isnotempty(Url)
+ | where TimeGenerated > ago(ioc_lookBack)
+ | extend Host = tostring(parse_url(Url).Host)
+ | where Host in (Candidate_Domains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, "://", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl
+ | where DeliveryAction !has "Blocked"
+ | project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject
+ | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])
+ | extend timestamp = EmailEvents_TimeGenerated
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml
index 27a1248acf..fcd925e541 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml
@@ -28,10 +28,10 @@ query: |
// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains
let list_tlds =
ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
- | where isnotempty(DomainName)
| extend DomainName = tolower(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
@@ -39,11 +39,11 @@ query: |
| summarize make_list(tld);
let Domain_Indicators =
ThreatIntelligenceIndicator
+ // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)
+ | where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
- // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)
- | where isnotempty(DomainName)
| extend TI_DomainEntity = DomainName;
Domain_Indicators
// Join with CommonSecurityLog to find potential malicious activity
@@ -90,5 +90,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: PA_Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml
index 31859ac00c..7e0eb62428 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml
@@ -26,55 +26,40 @@ triggerThreshold: 0
tactics:
- Impact
query: |
- let dt_lookBack = 1h; // Lookback time for recent data, set to 1 hour
- let ioc_lookBack = 14d; // Lookback time for threat feed data, set to 14 days
- // Create a list of TLDs in our threat feed for later validation
- let list_tlds = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
- | where isnotempty(DomainName)
- | extend parts = split(DomainName, '.')
- | extend tld = parts[(array_length(parts)-1)]
- | summarize count() by tostring(tld)
- | summarize make_list(tld);
- let Domain_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
- // Picking up only IOC's that contain the entities we want
- | where isnotempty(DomainName)
- | extend TI_DomainEntity = DomainName;
- Domain_Indicators
- // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- SecurityAlert
- | where TimeGenerated > ago(dt_lookBack)
- | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
- | where MSTI == false
- // Extract domain patterns from message
- | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1,1]), tolower(Entities))))
- | mv-expand domain
- | extend domain = tostring(domain[0])
- | extend parts = split(domain, '.')
- // Split out the TLD
- | extend tld = parts[(array_length(parts)-1)]
- // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
- | where tld in~ (list_tlds)
- // Converting Entities into dynamic data type and use mv-expand to unpack the array
- | extend EntitiesDynamicArray = parse_json(Entities)
- | mv-apply EntitiesDynamicArray on
- (summarize
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let SecurityAlerts = SecurityAlert
+ | where TimeGenerated > ago(dt_lookBack)
+ | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1]), tolower(Entities))))
+ | where isnotempty(domain)
+ | mv-expand domain
+ | extend domain = tostring(domain)
+ | extend EntitiesDynamicArray = parse_json(Entities)
+ | mv-apply EntitiesDynamicArray on
+ (summarize
HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == "host"),
IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == "ip")
- )
- | extend Alert_TimeGenerated = TimeGenerated
- | extend Alert_Description = Description
- ) on $left.TI_DomainEntity == $right.domain
- | where Alert_TimeGenerated < ExpirationDateTime
- | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName
- | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity
- | extend timestamp = Alert_TimeGenerated
+ )
+ | extend Alert_TimeGenerated = TimeGenerated
+ | extend Alert_Description = Description;
+ let AlertDomains = SecurityAlerts
+ | distinct domain
+ | summarize make_list(domain);
+ let Domain_Indicators = materialize(ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_DomainEntity = tolower(DomainName)
+ | where TI_DomainEntity in (AlertDomains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;");
+ Domain_Indicators
+ // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
+ | join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain
+ | where Alert_TimeGenerated < ExpirationDateTime
+ | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName
+ | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity
+ | extend timestamp = Alert_TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
@@ -88,5 +73,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.1
+version: 1.4.2
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml
index d5115e2160..583024e680 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml
@@ -27,20 +27,20 @@ query: |
let ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)
// Create a list of top-level domains (TLDs) from the threat feed for later validation
let list_tlds = ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
| where TimeGenerated > ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
- | where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
| summarize count() by tostring(tld)
| summarize make_list(tld);
// Fetch the latest active domain indicators from the threat intelligence data within the specified time range
let Domain_Indicators = ThreatIntelligenceIndicator
+ | where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
- | where isnotempty(DomainName)
| extend TI_DomainEntity = DomainName;
// Join the threat intelligence indicators with syslog data on matching domain entities
Domain_Indicators
@@ -83,5 +83,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml
index 456273bb25..c7e5f7cf0e 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml
@@ -1,7 +1,7 @@
id: b1832f60-6c3d-4722-a0a5-3d564ee61a63
name: TI map Domain entity to Web Session Events (ASIM Web Session schema)
description: |
- 'This rule identifies Web Sessions for which the target URL hostname is a known IoC.
This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'
+ 'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'
severity: Medium
requiredDataConnectors:
- connectorId: SquidProxy
@@ -13,6 +13,9 @@ requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
@@ -28,11 +31,11 @@ query: |
let ioc_lookBack = 14d;
//Create a list of TLDs in our threat feed for later validation
let DOMAIN_TI=ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
// Picking up only IOC's that contain the entities we want
- | where isnotempty(DomainName);
+ | where isnotempty(DomainName)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName)
| project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
DOMAIN_TI
@@ -68,5 +71,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC
alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
-version: 1.0.4
+version: 1.0.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml
index 53f1aed8ca..ea7869cc6b 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml
@@ -27,11 +27,11 @@ query: |
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
//Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)
@@ -62,5 +62,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml
new file mode 100644
index 0000000000..1a6df21b87
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml
@@ -0,0 +1,54 @@
+id: 11f7c6e3-f066-4b3c-9a81-b487ec0a6873
+name: TI map Email entity to EmailEvents
+description: |
+ 'Identifies a match in EmailEvents table from any Email IOC from TI'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: Office365
+ dataTypes:
+ - EmailEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has "Blocked" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromAddress = tolower(SenderFromAddress) | extend RecipientEmailAddress = tolower(RecipientEmailAddress));
+ let SenderAddresses = EmailEvents_ | distinct SenderFromAddress | summarize make_list(SenderFromAddress);
+ let RecipientAddresses = EmailEvents_ | distinct RecipientEmailAddress | summarize make_list(RecipientEmailAddress);
+ let TI = materialize(ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where isnotempty(EmailSenderAddress)
+ | extend TI_EmailAddress = tolower(EmailSenderAddress)
+ | where TI_EmailAddress in (SenderAddresses) or TI_EmailAddress in (RecipientAddresses)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now());
+ (union
+ (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.SenderFromAddress),
+ (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.RecipientEmailAddress))
+ | where EmailEvents_TimeGenerated < ExpirationDateTime
+ | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, TI_EmailAddress
+ | project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_EmailAddress, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection
+ | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])
+ | extend timestamp = EmailEvents_TimeGenerated
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml
index 4d57ff925f..3cae8c7985 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml
@@ -26,23 +26,25 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
+ let OfficeEvents = materialize(
+ OfficeActivity
+ | where isnotempty(UserId)
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where UserId matches regex emailregex
+ | project-rename OfficeActivity_TimeGenerated = TimeGenerated);
+ let OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- //Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where tolower(EmailSenderAddress) in (OfficeActivityUPNs)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)
- | where UserId matches regex emailregex
- | extend OfficeActivity_TimeGenerated = TimeGenerated
- )
- on $left.EmailSenderAddress == $right.UserId
+ | join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId
| where OfficeActivity_TimeGenerated < ExpirationDateTime
| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId
- | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
- EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters
+ | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters
| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])
| extend timestamp = OfficeActivity_TimeGenerated
entityMappings:
@@ -60,5 +62,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
index 04199d7dc7..db7b384ef7 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
@@ -27,11 +27,11 @@ query: |
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
//Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
@@ -61,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml
index d859239f10..b424fe2452 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml
@@ -27,11 +27,11 @@ query: |
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
//Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
SecurityAlert
@@ -67,5 +67,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.5
+version: 1.2.6
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml
index 98872d798c..537c228c67 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml
@@ -33,11 +33,11 @@ query: |
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
//Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
(union isfuzzy=true
@@ -85,5 +85,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.3.4
+version: 1.3.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml
index f302b0ddc8..3b4542ea36 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml
@@ -29,37 +29,31 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
- let aadFunc = (tableName:string){
+ let Signins = materialize(union isfuzzy=true
+ ( SigninLogs | where TimeGenerated >= ago(dt_lookBack)),
+ ( AADNonInteractiveUserSignInLogs | where TimeGenerated >= ago(dt_lookBack)
+ | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))
+ | where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex
+ | extend UserPrincipalName = tolower(UserPrincipalName)
+ | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)
+ | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
+ | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)
+ | extend SigninLogs_TimeGenerated = TimeGenerated);
+ let SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
//Filtering the table for Email related IOCs
| where isnotempty(EmailSenderAddress)
- // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)
- //Normalizing the column to lower case for exact match with EmailSenderAddress column
- | extend UserPrincipalName = tolower(UserPrincipalName)
- | where UserPrincipalName matches regex emailregex
- | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)
- | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
- | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)
- // renaming timestamp column so it is clear the log this came from SigninLogs table
- | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type
- )
- on $left.EmailSenderAddress == $right.UserPrincipalName
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where EmailSenderAddress in (SigninUPNs)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName
| where SigninLogs_TimeGenerated < ExpirationDateTime
| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName
- | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
- EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,
- StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type
+ | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type
| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
| extend timestamp = SigninLogs_TimeGenerated
- };
- let aadSignin = aadFunc("SigninLogs");
- let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
- union isfuzzy=true aadSignin, aadNonInt
entityMappings:
- entityType: Account
fieldMappings:
@@ -75,5 +69,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml
index 5e93d7a428..9a5e9c581e 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml
@@ -26,10 +26,10 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let fileHashIndicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | where isnotempty(FileHashValue)
+ | where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- | where isnotempty(FileHashValue);
+ | where Active == true and ExpirationDateTime > now();
// Handle matches against both lower case and uppercase versions of the hash:
(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)
| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))
@@ -75,5 +75,5 @@ entityMappings:
columnName: FileHashValue
- identifier: Algorithm
columnName: FileHashType
-version: 1.3.3
+version: 1.3.4
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml
new file mode 100644
index 0000000000..a3d3750991
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml
@@ -0,0 +1,64 @@
+id: bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7
+name: TI map File Hash to DeviceFileEvents Event
+description: |
+ 'Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceFileEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let DeviceFileEvents_ = (union
+ (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),
+ (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));
+ let Hashes = DeviceFileEvents_ | distinct FileHashValue;
+ ThreatIntelligenceIndicator
+ | where isnotempty(FileHashValue)
+ | where TimeGenerated > ago(ioc_lookBack)
+ | where FileHashValue in (Hashes)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue
+ | where TimeGenerated < ExpirationDateTime
+ | summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, DeviceId
+ | project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup
+ | extend timestamp = TimeGenerated
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: RequestAccountName
+ - identifier: Sid
+ columnName: RequestAccountSid
+ - identifier: NTDomain
+ columnName: RequestAccountDomain
+ - entityType: FileHash
+ fieldMappings:
+ - identifier: Value
+ columnName: FileHashValue
+ - identifier: Algorithm
+ columnName: FileHashType
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+version: 1.0.0
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml
index 0f4686c379..6a1bf2b2c2 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml
@@ -32,11 +32,11 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
| where isnotempty(FileHashValue)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend FileHashValue = toupper(FileHashValue)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique ( union isfuzzy=true
(SecurityEvent | where TimeGenerated >= ago(dt_lookBack)
@@ -81,5 +81,5 @@ entityMappings:
columnName: FileHashValue
- identifier: Algorithm
columnName: FileHashType
-version: 1.4.3
+version: 1.4.4
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml
index d660af1aac..4852279f41 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml
@@ -27,17 +27,17 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
// Filter out indicators without relevant IP address fields
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
// Select the IP entity based on availability of different IP fields
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
// Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -70,5 +70,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
index 254f81bf3a..8e2d9de037 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
@@ -24,23 +24,23 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
// Filter out indicators without relevant IP address fields
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label.
+ | where ConfidenceScore > 50
// Select the IP entity based on availability of different IP fields
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label.
- | where ConfidenceScore > 50
// Determine AlertPriority based on ConfidenceScore
| extend AlertPriority = case(ConfidenceScore > 82, "High",
ConfidenceScore > 74, "Medium",
"Low")
// Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -86,6 +86,6 @@ entityMappings:
columnName: _ResourceId
alertDetailsOverride:
alertSeverityColumnName: AlertPriority
-version: 1.5.0
+version: 1.5.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml
index 19dc9d3bab..14477b09a4 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml
@@ -27,17 +27,17 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
// Filter out indicators without relevant IP address fields
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
// Select the IP entity based on availability of different IP fields
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
// Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity
IP_Indicators
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
@@ -76,5 +76,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml
index 84f0a3c58c..ec2958a18f 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml
@@ -27,17 +27,17 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
// Filter out indicators without relevant IP address fields
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
// Select the IP entity based on availability of different IP fields
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
// Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -72,5 +72,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.3.0
+version: 1.3.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml
index d66fa97a01..622926efb4 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml
@@ -27,14 +27,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
- | where LatestIndicatorTime >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -64,5 +64,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
-version: 1.3.2
+version: 1.3.3
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml
index a40c6d3023..ff4b1c4396 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml
@@ -24,14 +24,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml
index 02904d27bf..4b9e7abf0d 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml
@@ -27,14 +27,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -64,5 +64,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: ClientIP
-version: 1.3.0
+version: 1.3.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml
index 036f8ebcf1..8e70f03286 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml
@@ -28,14 +28,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and CommonSecurityLog events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -59,5 +59,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: CS_ipEntity
-version: 1.2.0
+version: 1.2.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml
new file mode 100644
index 0000000000..f98efcb90b
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml
@@ -0,0 +1,67 @@
+id: b2df4979-d34a-48b3-a7d9-f473a4bf8058
+name: TI Map IP Entity to DeviceNetworkEvents
+description: |
+ 'Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceNetworkEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let DeviceNetworkEvents_ = DeviceNetworkEvents
+ | where isnotempty(RemoteIP)
+ | where TimeGenerated > ago(dt_lookBack)
+ | where ActionType !has "ConnectionFailed"
+ | extend isPrivate = ipv4_is_private(RemoteIP)
+ | where isPrivate != true;
+ let IPs = DeviceNetworkEvents_ | distinct RemoteIP | summarize make_list(RemoteIP);
+ ThreatIntelligenceIndicator
+ | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)
+ | where TI_ipEntity in (IPs)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (DeviceNetworkEvents_) on $left.TI_ipEntity == $right.RemoteIP
+ | summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, TI_ipEntity, DeviceName
+ // DeviceName, TI_ipEntity, RemoteUrl, InitiatingProcessAccountUpn
+ | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: TI_ipEntity
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: RemoteUrl
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml
index cf06146455..1a1f08aaac 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml
@@ -27,14 +27,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and DNS events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -69,5 +69,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml
index 5b6c869607..85e929aa04 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml
@@ -26,16 +26,16 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
| join (
DuoSecurityAuthentication_CL
| where TimeGenerated >= ago(dt_lookBack)
@@ -44,7 +44,9 @@ query: |
| extend Duo_TimeGenerated = isotimestamp_t
)
on $left.TI_ipEntity == $right.access_device_ip_s
+ | where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,
TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s
| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])
@@ -59,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: access_device_ip_s
-version: 1.0.3
+version: 1.0.4
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml
index 5a20c7ea64..2acecd3255 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml
@@ -25,36 +25,33 @@ tactics:
query: |
let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
+ let OfficeActivity_ = materialize(OfficeActivity
+ | where isnotempty(ClientIP)
+ | where TimeGenerated >= ago(dt_lookBack)
+ | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
+ | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')
+ | project-rename OfficeActivity_TimeGenerated = TimeGenerated);
+ let ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);
// Fetch threat intelligence indicators related to IP addresses
- let IP_Indicators = ThreatIntelligenceIndicator
+ let IP_Indicators = materialize(ThreatIntelligenceIndicator
+ | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)
+ | where TI_ipEntity in (ActivityIPs)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
- | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
- | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
- | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
- | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
- // Perform a join between IP indicators and OfficeActivity events
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;");
IP_Indicators
- // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
- | join kind=innerunique (
- OfficeActivity
- | where TimeGenerated >= ago(dt_lookBack)
- | where isnotempty(ClientIP)
- | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
- | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')
- | extend OfficeActivity_TimeGenerated = TimeGenerated
- )
+ // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
+ | join kind=innerunique (OfficeActivity_)
on $left.TI_ipEntity == $right.IPAddress
- // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator
- | where OfficeActivity_TimeGenerated < ExpirationDateTime
- // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp
- | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId
- // Select the desired output fields
- | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
- TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
- | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])
+ // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator
+ | where OfficeActivity_TimeGenerated < ExpirationDateTime
+ // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp
+ | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId
+ // Select the desired output fields
+ | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
+ | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])
entityMappings:
- entityType: Account
fieldMappings:
@@ -70,5 +67,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml
index b50795e12c..ebb0f1256d 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml
@@ -28,37 +28,30 @@ tactics:
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
- let aadFunc = (tableName:string){
- ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- // Picking up only IOC's that contain the entities we want
- | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
- // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
- // Taking the first non-empty value based on potential IOC match availability
- | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
- | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
- | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+ let Signins = materialize(union isfuzzy=true
+ (SigninLogs
+ | where TimeGenerated >= ago(dt_lookBack)),
+ (AADNonInteractiveUserSignInLogs
+ | where TimeGenerated >= ago(dt_lookBack)
+ | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));
+ let SigninIPs = Signins | summarize make_list(IPAddress);
+ let TI = materialize(ThreatIntelligenceIndicator
+ | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)
+ | where TI_ipEntity in (SigninIPs)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;");
+ TI
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- table(tableName) | where TimeGenerated >= ago(dt_lookBack)
- | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)
- | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)
- | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)
- // renaming time column so it is clear the log this came from
- | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type
- )
- on $left.TI_ipEntity == $right.IPAddress
+ | join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress
+ | project-rename SigninLogs_TimeGenerated = TimeGenerated
| where SigninLogs_TimeGenerated < ExpirationDateTime
+ | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)
| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress
- | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
- TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
+ | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
- };
- let aadSignin = aadFunc("SigninLogs");
- let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
- union isfuzzy=true aadSignin, aadNonInt
entityMappings:
- entityType: Account
fieldMappings:
@@ -74,5 +67,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.5
+version: 1.2.6
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml
index 2abc531a14..341c7d6312 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml
@@ -27,14 +27,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and VMConnection events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -67,5 +67,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml
index 047bbd16ac..b4ca8f6bc1 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml
@@ -27,14 +27,14 @@ query: |
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and W3CIISLog events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
@@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.4.0
+version: 1.4.1
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml
index 4868d5e72b..07c3f7492d 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml
@@ -1,8 +1,7 @@
id: e2399891-383c-4caf-ae67-68a008b9f89e
name: TI map IP entity to Network Session Events (ASIM Network Session schema)
description: |
- 'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC.
- This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
+ 'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
severity: Medium
status: Available
requiredDataConnectors:
@@ -58,6 +57,9 @@ requiredDataConnectors:
dataTypes:
- Syslog
- CiscoMerakiNativePoller
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
@@ -70,11 +72,11 @@ query: |
let ioc_lookBack = 14d;
let IP_TI = materialize (
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP")
| where TI_ipEntity != "NO_IP"
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
);
IP_TI
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
@@ -119,5 +121,5 @@ tags:
- Schema: ASIMNetworkSession
SchemaVersion: 0.2.4
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml
index 0be5ccd716..0fd952f9e7 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml
@@ -1,7 +1,7 @@
id: e2559891-383c-4caf-ae67-55a008b9f89e
name: TI map IP entity to Web Session Events (ASIM Web Session schema)
description: |
- This rule identifies Web Sessions for which the source IP address is a known IoC.
This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
+ This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
severity: Medium
requiredDataConnectors:
- connectorId: SquidProxy
@@ -31,15 +31,15 @@ query: |
let ioc_lookBack = 14d;
let IP_TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true and ExpirationDateTime > now()
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, "NO_IP")
// Picking up only IOC's that contain the entities we want
| where TI_ipEntity != "NO_IP"
// Exclude local addresses, using the ipv4_is_private operator
- | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+ | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
let IP_TI_list = toscalar(IP_TI
| summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)
| project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));
@@ -72,5 +72,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: The IP {{SrcIpAddr}} of the web request matches an IP IoC
alertDescriptionFormat: The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.
-version: 1.2.3
+version: 1.2.4
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml
index 576680f6f1..4347c76d4d 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml
@@ -14,26 +14,31 @@ requiredDataConnectors:
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
-queryPeriod: 1d
+queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
+ let dt_lookBack = 1h; // Look back 1 hour for VMConnection events
+ let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
ThreatIntelligenceIndicator
- | where Action == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+ | where Action == true
+ | where TimeGenerated >= ago(ioc_lookBack)
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
| join (
GitHubAudit
+ | where TimeGenerated >= ago(dt_lookBack)
| extend GitHubAudit_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.IPaddress
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor
entityMappings:
@@ -45,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml
index 3e1511c765..403a566c0f 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml
@@ -25,23 +25,24 @@ tactics:
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
- ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- // Picking up only IOC's that contain the entities we want
- | where isnotempty(Url)
- // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- AuditLogs
+ let AuditEvents = materialize(AuditLogs
| where TimeGenerated >= ago(dt_lookBack)
// Extract the URL that is contained within the JSON data
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources))
| where isnotempty(Url)
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)
- | extend Audit_TimeGenerated = TimeGenerated
- ) on Url
+ | extend Audit_TimeGenerated = TimeGenerated);
+ let AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);
+ ThreatIntelligenceIndicator
+ | where isnotempty(Url)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where tolower(Url) in (AuditUrls)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
+ | join kind=innerunique (AuditEvents) on Url
| where Audit_TimeGenerated < ExpirationDateTime
| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url
| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,
@@ -60,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml
new file mode 100644
index 0000000000..a8605523cd
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml
@@ -0,0 +1,71 @@
+id: 6ddbd892-a9be-47be-bab7-521241695bd6
+name: TI Map URL Entity to AuditLogs
+description: |
+ 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceNetworkEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let DeviceNetworkEvents_ = DeviceNetworkEvents
+ | where isnotempty(RemoteUrl)
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where ActionType !has "ConnectionFailed"
+ | extend RemoteUrl = tolower(RemoteUrl)
+ | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;
+ let DeviceNetworkEventUrls = DeviceNetworkEvents_
+ | distinct Url = RemoteUrl
+ | summarize make_list(Url);
+ ThreatIntelligenceIndicator
+ | where isnotempty(Url)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend Url = tolower(Url)
+ | where Url in (DeviceNetworkEventUrls)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
+ | join kind=innerunique (DeviceNetworkEvents_) on $left.Url == $right.RemoteUrl
+ | where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime
+ | summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, Url
+ | project DeviceNetworkEvents_TimeGenerated, IndicatorId, Url, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort
+ | extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])
+ | extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: Host
+ fieldMappings:
+ - identifier: FullName
+ columnName: DeviceName
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+ - entityType: Process
+ fieldMappings:
+ - identifier: CommandLine
+ columnName: InitiatingProcessCommandLine
+version: 1.0.0
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml
new file mode 100644
index 0000000000..223535be3f
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml
@@ -0,0 +1,65 @@
+id: a0038239-72f4-4f7b-90ff-37f89f7881e0
+name: TI Map URL Entity to EmailUrlInfo
+description: |
+ 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - EmailUrlInfo
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let EmailUrlInfo_ = materialize(EmailUrlInfo
+ | where isnotempty(Url)
+ | where TimeGenerated >= ago(dt_lookBack)
+ | extend Url = tolower(Url)
+ | extend EmailUrlInfo_TimeGenerated = TimeGenerated);
+ let EmailUrls = EmailUrlInfo_ | distinct Url | summarize make_list(Url);
+ let EmailUrlDomains = EmailUrlInfo_ | distinct UrlDomain | summarize make_list(UrlDomain);
+ let EmailEvents_ = materialize(EmailEvents
+ | where TimeGenerated >= ago(dt_lookBack));
+ let TI = materialize(ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where (isnotempty(Url) or isnotempty(DomainName))
+ | where tolower(Url) in (EmailUrls) or tolower(DomainName) in (EmailUrlDomains)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now());
+ (union
+ (TI | join kind=innerunique (EmailUrlInfo_) on Url),
+ (TI | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain))
+ | where EmailUrlInfo_TimeGenerated < ExpirationDateTime
+ | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url
+ | project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlDomain, UrlLocation, NetworkMessageId
+ | extend timestamp = EmailUrlInfo_TimeGenerated
+ | join kind=inner (EmailEvents_) on NetworkMessageId
+ | where DeliveryAction !has "Blocked"
+ | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+version: 1.0.0
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
index 0a09429b5d..d929ae98bf 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
@@ -1,7 +1,7 @@
id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
-name: TI Map URL Entity to OfficeActivity Data
+name: TI Map URL Entity to OfficeActivity Data [Deprecated]
description: |
- 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'
+ 'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
@@ -13,6 +13,9 @@ requiredDataConnectors:
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@@ -21,31 +24,32 @@ tactics:
- Impact
query: |
let dt_lookBack = 1h;
- let ioc_lookBack = 14d;
- ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- // Picking up only IOC's that contain the entities we want
- | where isnotempty(Url)
- // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- OfficeActivity
- | where TimeGenerated >= ago(dt_lookBack)
- //Extract the Url from a number of potential fields
- | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
- | where isnotempty(Url)
- // Ensure we get a clean URL
- | extend Url = tostring(split(Url, ';')[0])
- | extend OfficeActivity_TimeGenerated = TimeGenerated
- // Project a single user identity that we can use for entity mapping
- | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
- ) on Url
- | where OfficeActivity_TimeGenerated < ExpirationDateTime
- | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
- | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
- UserType, OfficeWorkload, Parameters, Url, User
- | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
+ // let ioc_lookBack = 14d;
+ // ThreatIntelligenceIndicator
+ // // Picking up only IOC's that contain the entities we want
+ // | where isnotempty(Url)
+ // | where TimeGenerated >= ago(ioc_lookBack)
+ // | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ // | where Active == true and ExpirationDateTime > now()
+ // // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
+ // | join kind=innerunique (
+ // OfficeActivity
+ // | where TimeGenerated >= ago(dt_lookBack)
+ // //Extract the Url from a number of potential fields
+ // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
+ // | where isnotempty(Url)
+ // // Ensure we get a clean URL
+ // | extend Url = tostring(split(Url, ';')[0])
+ // | extend OfficeActivity_TimeGenerated = TimeGenerated
+ // // Project a single user identity that we can use for entity mapping
+ // | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
+ // ) on Url
+ // | where OfficeActivity_TimeGenerated < ExpirationDateTime
+ // | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
+ // | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
+ // UserType, OfficeWorkload, Parameters, Url, User
+ // | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
+ datatable() []
entityMappings:
- entityType: Account
fieldMappings:
@@ -57,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.5
+version: 1.2.6
kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml
index 0b532cdfa8..6960697068 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml
@@ -26,11 +26,11 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(Url)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog
@@ -64,5 +64,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: PA_Url
-version: 1.2.3
+version: 1.2.4
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml
index 3ede7de1e3..49a172956d 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml
@@ -29,28 +29,30 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let URLRegex = "((https?|ftp|ldap|wss?|file):\\/\\/(([\\:\\%\\w\\_\\-]+(\\.|@))*((xn--)?[a-zA-Z0-9\\-]+\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{0,3})[.,:\\w@?^=%&\\/~+#-]*[\\w@?^=%&\\/~+#-])";
+ let SecurityEvents = materialize(SecurityAlert
+ | where TimeGenerated >= ago(dt_lookBack)
+ | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
+ | where MSTI == false
+ // Extract URL from JSON data
+ | mv-expand parse_json(Entities)
+ | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)
+ | extend Url = coalesce(Entities.Url, Entities.Urls)
+ | mv-expand Url
+ | extend Url = tolower(Url)
+ // Extract hostname from JSON data for entity mapping
+ | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"])
+ | extend Alert_TimeGenerated = TimeGenerated);
+ let EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
- // Picking up only IOC's that contain the entities we want
| where isnotempty(Url)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | extend Url = tolower(Url)
+ | where tolower(Url) in (EventUrls)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
- | join kind=innerunique (
- SecurityAlert
- | where TimeGenerated >= ago(dt_lookBack)
- | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
- | where MSTI == false
- // Extract URL from JSON data
- | extend Url = todynamic(dynamic_to_json(extract_all(URLRegex, dynamic([1]), Entities)))
- | mv-expand Url
- | extend Url = tostring(Url[0])
- // We only want alerts that actually contain URL data
- | where isnotempty(Url)
- // Extract hostname from JSON data for entity mapping
- | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"])
- | extend Alert_TimeGenerated = TimeGenerated
- ) on Url
+ | join kind=innerunique (SecurityEvents) on Url
| where Alert_TimeGenerated < ExpirationDateTime
| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName
| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host
@@ -63,5 +65,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.6
+version: 1.2.7
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml
index a1f74dad0f..ce3c31d6d8 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml
@@ -26,11 +26,11 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(Url)
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
Syslog
@@ -56,5 +56,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
-version: 1.2.4
+version: 1.2.5
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml
new file mode 100644
index 0000000000..718104a076
--- /dev/null
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml
@@ -0,0 +1,68 @@
+id: 23391c84-87d8-452f-a84c-47a62f01e115
+name: TI Map URL Entity to UrlClickEvents
+description: |
+ 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.'
+severity: Medium
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - UrlClickEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let UrlClickEvents_ = materialize(UrlClickEvents
+ | where TimeGenerated >= ago(dt_lookBack)
+ | extend UrlClickEvents_TimeGenerated = TimeGenerated);
+ let ChainReportID = UrlClickEvents_
+ | mv-expand todynamic(UrlChain)
+ | extend UrlChain = tolower(UrlChain)
+ | project ReportId, Url, UrlChain;
+ // Url is not always in UrlChain, so we need to check both
+ let ClickedUrls =
+ (union isfuzzy=false (ChainReportID), (ChainReportID | project Url = UrlChain))
+ | distinct Url
+ | summarize make_list(Url);
+ let TI = materialize(ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | where isnotempty(Url) and tolower(Url) in (ClickedUrls)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | project-rename TI_Url = Url, TI_Type = Type
+ );
+ (union isfuzzy=false (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.UrlChain),
+ (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.Url))
+ | project-away UrlChain
+ | join kind=innerunique (UrlClickEvents_) on ReportId
+ | where UrlClickEvents_TimeGenerated < ExpirationDateTime
+ | summarize UrlClickEvents_TimeGenerated = arg_max(UrlClickEvents_TimeGenerated, *) by IndicatorId
+ | project UrlClickEvents_TimeGenerated, AccountUpn, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, NetworkMessageId
+ | extend timestamp = UrlClickEvents_TimeGenerated
+ | extend timestamp = UrlClickEvents_TimeGenerated, Name = tostring(split(AccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(AccountUpn, '@', 1)[0])
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: Name
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
index b8b8d971f0..934a931cba 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
@@ -35,7 +35,6 @@ requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
-
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -55,11 +54,11 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
- | where Active == true
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;
+ | where TimeGenerated >= ago(ioc_lookBack)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName)
| project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
DomainTIs
@@ -70,7 +69,6 @@ query: |
| where DNS_TimeGenerated < ExpirationDateTime
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url
-
entityMappings:
- entityType: Host
fieldMappings:
@@ -96,5 +94,5 @@ customDetails:
SourceIPAddress: SrcIpAddr
DnsQuery: DnsQuery
QueryType: DnsQueryType
-version: 1.1.4
+version: 1.1.5
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
index e14de01d8a..a300fa7f7f 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
+++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
@@ -1,8 +1,7 @@
id: 67775878-7f8b-4380-ac54-115e1e828901
name: TI map IP entity to DNS Events (ASIM DNS schema)
description: |
- 'This rule identifies DNS requests for which response IP address is a known IoC.
- This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.'
+ 'This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.'
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
@@ -38,7 +37,6 @@ requiredDataConnectors:
- connectorId: Corelight
dataTypes:
- Corelight_CL
-
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@@ -55,12 +53,11 @@ query: |
let ioc_lookBack = 14d;
let IP_TI =
ThreatIntelligenceIndicator
- | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
- | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
- | where Active == true
+ | where TimeGenerated >= ago(ioc_lookBack)
| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP")
| where IoC != "NO_IP"
- ;
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now();
IP_TI
| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
(
@@ -73,7 +70,6 @@ query: |
on IoC
| where imDns_mintime < ExpirationDateTime
| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName
-
entityMappings:
- entityType: Host
fieldMappings:
@@ -87,7 +83,6 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
-
customDetails:
LatestIndicatorTime: LatestIndicatorTime
Description: Description
@@ -99,10 +94,8 @@ customDetails:
DNSRequestTime: imDns_mintime
SourceIPAddress: SrcIpAddr
DnsQuery: DnsQuery
-
alertDetailsOverride:
alertDisplayNameFormat: The response {{IoC}} to DNS query matched an IoC
alertDescriptionFormat: The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
-
-version: 1.2.2
+version: 1.2.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json
index e4ddb848fd..8bc1575959 100644
--- a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json
+++ b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json
@@ -1,5 +1,5 @@
{
- "id": "PremiumMicrosoftDefenderThreatIntelligence",
+ "id": "PremiumMicrosoftDefenderForThreatIntelligence",
"title": "Premium Microsoft Defender Threat Intelligence (Preview)",
"publisher": "Microsoft",
"logo": {
@@ -28,7 +28,7 @@
{
"type": "SentinelKinds",
"value": [
- "PremiumMicrosoftThreatIntelligence"
+ "PremiumMicrosoftDefenderForThreatIntelligence"
]
}
],
@@ -73,9 +73,9 @@
{
"instructions": [
{
- "type": "PremiumMicrosoftThreatIntelligence",
+ "type": "PremiumMicrosoftDefenderForThreatIntelligence",
"parameters": {
- "connectorKind": "PremiumMicrosoftThreatIntelligence"
+ "connectorKind": "PremiumMicrosoftDefenderForThreatIntelligence"
}
}
]
diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json
index cbdaf00abb..f44962b07b 100644
--- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json
+++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json
@@ -21,18 +21,23 @@
],
"Analytic Rules": [
"Analytic Rules/DomainEntity_CommonSecurityLog.yaml",
+ "Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml",
"Analytic Rules/DomainEntity_DnsEvents.yaml",
+ "Analytic Rules/DomainEntity_EmailEvents.yaml",
+ "Analytic Rules/DomainEntity_EmailUrlInfo.yaml",
"Analytic Rules/DomainEntity_imWebSession.yaml",
"Analytic Rules/DomainEntity_PaloAlto.yaml",
"Analytic Rules/DomainEntity_SecurityAlert.yaml",
"Analytic Rules/DomainEntity_Syslog.yaml",
"Analytic Rules/EmailEntity_AzureActivity.yaml",
+ "Analytic Rules/EmailEntity_EmailEvents.yaml",
"Analytic Rules/EmailEntity_OfficeActivity.yaml",
"Analytic Rules/EmailEntity_PaloAlto.yaml",
"Analytic Rules/EmailEntity_SecurityAlert.yaml",
"Analytic Rules/EmailEntity_SecurityEvent.yaml",
"Analytic Rules/EmailEntity_SigninLogs.yaml",
"Analytic Rules/FileHashEntity_CommonSecurityLog.yaml",
+ "Analytic Rules/FileHashEntity_DeviceFileEvents.yaml",
"Analytic Rules/FileHashEntity_SecurityEvent.yaml",
"Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml",
"Analytic Rules/IPEntity_AWSCloudTrail.yaml",
@@ -42,6 +47,7 @@
"Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml",
"Analytic Rules/IPEntity_AzureSQL.yaml",
"Analytic Rules/IPEntity_CustomSecurityLog.yaml",
+ "Analytic Rules/IPEntity_DeviceNetworkEvents.yaml",
"Analytic Rules/IPEntity_DnsEvents.yaml",
"Analytic Rules/IPEntity_imWebSession.yaml",
"Analytic Rules/IPEntity_OfficeActivity.yaml",
@@ -49,10 +55,13 @@
"Analytic Rules/IPEntity_VMConnection.yaml",
"Analytic Rules/IPEntity_W3CIISLog.yaml",
"Analytic Rules/URLEntity_AuditLogs.yaml",
+ "Analytic Rules/URLEntity_DeviceNetworkEvents.yaml",
+ "Analytic Rules/URLEntity_EmailUrlInfo.yaml",
"Analytic Rules/URLEntity_OfficeActivity.yaml",
"Analytic Rules/URLEntity_PaloAlto.yaml",
"Analytic Rules/URLEntity_SecurityAlerts.yaml",
"Analytic Rules/URLEntity_Syslog.yaml",
+ "Analytic Rules/URLEntity_UrlClickEvents.yaml",
"Analytic Rules/IPEntity_DuoSecurity.yaml",
"Analytic Rules/imDns_DomainEntity_DnsEvents.yaml",
"Analytic Rules/imDns_IPEntity_DnsEvents.yaml",
@@ -61,7 +70,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"TemplateSpec": true,
"Is1PConnector": true
}
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Package/3.0.2.zip b/Solutions/Threat Intelligence/Package/3.0.2.zip
new file mode 100644
index 0000000000..db0a5ef2e8
Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.0.2.zip differ
diff --git a/Solutions/Threat Intelligence/Package/createUiDefinition.json b/Solutions/Threat Intelligence/Package/createUiDefinition.json
index ef11906573..0c5b3c5f7d 100644
--- a/Solutions/Threat Intelligence/Package/createUiDefinition.json
+++ b/Solutions/Threat Intelligence/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 38, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 47, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,7 +51,7 @@
}
],
"steps": [
- {
+ {
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
@@ -60,77 +60,28 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs four (4) data connectors for ingesting threat indicators (IP addresses, domains, URLs and file hashes) into Microsoft Sentinel. The ingested threat indicators can be used for correlation to enable monitoring, alerting, and hunting using your threat intelligence."
+ "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The data connectors installed are:"
+ "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "DC1",
- "type": "Microsoft.Common.Section",
- "label": "(1)\t\tThreat Intelligence Platforms",
- "elements": [
- {
- "name": "DC1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications."
- }
- }
- ]
- },
- {
- "name": "DC2",
- "type": "Microsoft.Common.Section",
- "label": "(2)\t\tThreat Intelligence - TAXII",
- "elements": [
- {
- "name": "DC1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Use this connector to bring in threat intelligence to Microsoft Sentinel from a TAXII 2.0 or 2.1 server."
- }
- }
- ]
- },
- {
- "name": "DC3",
- "type": "Microsoft.Common.Section",
- "label": "(3)\t\tThreat Intelligence Upload Indicators API",
- "elements": [
- {
- "name": "DC1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses."
- }
- }
- ]
- },
- {
- "name": "DC4",
- "type": "Microsoft.Common.Section",
- "label": "(4)\t\tMicrosoft Defender Threat Intelligence",
- "elements": [
- {
- "name": "DC1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc."
- }
- }
- ]
+ "name": "dataconnectors3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
},
{
- "name": "dataconnectors3-text",
+ "name": "dataconnectors4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "After installing the solution, configure and enable these data connectors by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -216,13 +167,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to CommonSecurityLog",
+ "label": "TI map Domain entity to PaloAlto CommonSecurityLog",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI"
+ "text": "Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI"
}
}
]
@@ -230,13 +181,13 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to DnsEvents",
+ "label": "TI Map Domain Entity to DeviceNetworkEvents",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in DnsEvents from any Domain IOC from TI"
+ "text": "This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents."
}
}
]
@@ -244,13 +195,13 @@
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
+ "label": "TI map Domain entity to DnsEvents",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM."
+ "text": "Identifies a match in DnsEvents from any Domain IOC from TI"
}
}
]
@@ -258,13 +209,13 @@
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to PaloAlto",
+ "label": "TI map Domain entity to EmailEvents",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI"
+ "text": "Identifies a match in EmailEvents table from any Domain IOC from TI"
}
}
]
@@ -272,13 +223,13 @@
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to SecurityAlert",
+ "label": "TI map Domain entity to EmailUrlInfo",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in SecurityAlert table from any Domain IOC from TI"
+ "text": "Identifies a match in EmailUrlInfo table from any Domain IOC from TI."
}
}
]
@@ -286,13 +237,13 @@
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to Syslog",
+ "label": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in Syslog table from any Domain IOC from TI"
+ "text": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM."
}
}
]
@@ -300,13 +251,13 @@
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to AzureActivity",
+ "label": "TI map Domain entity to PaloAlto",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in AzureActivity table from any Email IOC from TI"
+ "text": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI"
}
}
]
@@ -314,13 +265,13 @@
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to OfficeActivity",
+ "label": "TI map Domain entity to SecurityAlert",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in OfficeActivity table from any Email IOC from TI"
+ "text": "Identifies a match in SecurityAlert table from any Domain IOC from TI"
}
}
]
@@ -328,13 +279,13 @@
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to PaloAlto CommonSecurityLog",
+ "label": "TI map Domain entity to Syslog",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in CommonSecurityLog table from any Email IOC from TI"
+ "text": "Identifies a match in Syslog table from any Domain IOC from TI"
}
}
]
@@ -342,13 +293,13 @@
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to SecurityAlert",
+ "label": "TI map Email entity to AzureActivity",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others"
+ "text": "Identifies a match in AzureActivity table from any Email IOC from TI"
}
}
]
@@ -356,13 +307,13 @@
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to SecurityEvent",
+ "label": "TI map Email entity to EmailEvents",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in SecurityEvent table from any Email IOC from TI"
+ "text": "Identifies a match in EmailEvents table from any Email IOC from TI"
}
}
]
@@ -370,13 +321,13 @@
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
- "label": "TI map Email entity to SigninLogs",
+ "label": "TI map Email entity to OfficeActivity",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in SigninLogs table from any Email IOC from TI"
+ "text": "Identifies a match in OfficeActivity table from any Email IOC from TI"
}
}
]
@@ -384,13 +335,13 @@
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
- "label": "TI map File Hash to CommonSecurityLog Event",
+ "label": "TI map Email entity to PaloAlto CommonSecurityLog",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI"
+ "text": "Identifies a match in CommonSecurityLog table from any Email IOC from TI"
}
}
]
@@ -398,13 +349,13 @@
{
"name": "analytic14",
"type": "Microsoft.Common.Section",
- "label": "TI map File Hash to Security Event",
+ "label": "TI map Email entity to SecurityAlert",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in Security Event data from any File Hash IOC from TI"
+ "text": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others"
}
}
]
@@ -412,13 +363,13 @@
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to AppServiceHTTPLogs",
+ "label": "TI map Email entity to SecurityEvent",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI"
+ "text": "Identifies a match in SecurityEvent table from any Email IOC from TI"
}
}
]
@@ -426,13 +377,13 @@
{
"name": "analytic16",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to AWSCloudTrail",
+ "label": "TI map Email entity to SigninLogs",
"elements": [
{
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in AWSCloudTrail from any IP IOC from TI"
+ "text": "Identifies a match in SigninLogs table from any Email IOC from TI"
}
}
]
@@ -440,13 +391,13 @@
{
"name": "analytic17",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to AzureActivity",
+ "label": "TI map File Hash to CommonSecurityLog Event",
"elements": [
{
"name": "analytic17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity."
+ "text": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI"
}
}
]
@@ -454,13 +405,13 @@
{
"name": "analytic18",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to AzureFirewall",
+ "label": "TI map File Hash to DeviceFileEvents Event",
"elements": [
{
"name": "analytic18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI"
+ "text": "Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI"
}
}
]
@@ -468,13 +419,13 @@
{
"name": "analytic19",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to Azure Key Vault logs",
+ "label": "TI map File Hash to Security Event",
"elements": [
{
"name": "analytic19-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in Azure Key Vault logs from any IP IOC from TI"
+ "text": "Identifies a match in Security Event data from any File Hash IOC from TI"
}
}
]
@@ -482,13 +433,13 @@
{
"name": "analytic20",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "label": "TI map IP entity to AppServiceHTTPLogs",
"elements": [
{
"name": "analytic20-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed"
+ "text": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI"
}
}
]
@@ -496,13 +447,13 @@
{
"name": "analytic21",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to Azure SQL Security Audit Events",
+ "label": "TI map IP entity to AWSCloudTrail",
"elements": [
{
"name": "analytic21-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events."
+ "text": "Identifies a match in AWSCloudTrail from any IP IOC from TI"
}
}
]
@@ -510,13 +461,13 @@
{
"name": "analytic22",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to CommonSecurityLog",
+ "label": "TI Map IP Entity to AzureActivity",
"elements": [
{
"name": "analytic22-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity."
}
}
]
@@ -524,13 +475,13 @@
{
"name": "analytic23",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to DnsEvents",
+ "label": "TI map IP entity to AzureFirewall",
"elements": [
{
"name": "analytic23-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents."
+ "text": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI"
}
}
]
@@ -538,13 +489,13 @@
{
"name": "analytic24",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
+ "label": "TI map IP entity to Azure Key Vault logs",
"elements": [
{
"name": "analytic24-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM."
+ "text": "Identifies a match in Azure Key Vault logs from any IP IOC from TI"
}
}
]
@@ -552,13 +503,13 @@
{
"name": "analytic25",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to OfficeActivity",
+ "label": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
"elements": [
{
"name": "analytic25-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity."
+ "text": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed"
}
}
]
@@ -566,13 +517,13 @@
{
"name": "analytic26",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to SigninLogs",
+ "label": "TI Map IP Entity to Azure SQL Security Audit Events",
"elements": [
{
"name": "analytic26-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events."
}
}
]
@@ -580,13 +531,13 @@
{
"name": "analytic27",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to VMConnection",
+ "label": "TI Map IP Entity to CommonSecurityLog",
"elements": [
{
"name": "analytic27-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog."
}
}
]
@@ -594,13 +545,13 @@
{
"name": "analytic28",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to W3CIISLog",
+ "label": "TI Map IP Entity to DeviceNetworkEvents",
"elements": [
{
"name": "analytic28-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog."
+ "text": "Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI."
}
}
]
@@ -608,13 +559,13 @@
{
"name": "analytic29",
"type": "Microsoft.Common.Section",
- "label": "TI Map URL Entity to AuditLogs",
+ "label": "TI Map IP Entity to DnsEvents",
"elements": [
{
"name": "analytic29-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents."
}
}
]
@@ -622,13 +573,13 @@
{
"name": "analytic30",
"type": "Microsoft.Common.Section",
- "label": "TI Map URL Entity to OfficeActivity Data",
+ "label": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
"elements": [
{
"name": "analytic30-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data."
+ "text": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM."
}
}
]
@@ -636,13 +587,13 @@
{
"name": "analytic31",
"type": "Microsoft.Common.Section",
- "label": "TI Map URL Entity to PaloAlto Data",
+ "label": "TI map IP entity to OfficeActivity",
"elements": [
{
"name": "analytic31-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity."
}
}
]
@@ -650,13 +601,13 @@
{
"name": "analytic32",
"type": "Microsoft.Common.Section",
- "label": "TI Map URL Entity to SecurityAlert Data",
+ "label": "TI Map IP Entity to SigninLogs",
"elements": [
{
"name": "analytic32-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs."
}
}
]
@@ -664,13 +615,13 @@
{
"name": "analytic33",
"type": "Microsoft.Common.Section",
- "label": "TI Map URL Entity to Syslog Data",
+ "label": "TI Map IP Entity to VMConnection",
"elements": [
{
"name": "analytic33-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection."
}
}
]
@@ -678,13 +629,13 @@
{
"name": "analytic34",
"type": "Microsoft.Common.Section",
- "label": "TI Map IP Entity to Duo Security",
+ "label": "TI Map IP Entity to W3CIISLog",
"elements": [
{
"name": "analytic34-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity."
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog."
}
}
]
@@ -692,13 +643,13 @@
{
"name": "analytic35",
"type": "Microsoft.Common.Section",
- "label": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
+ "label": "TI Map URL Entity to AuditLogs",
"elements": [
{
"name": "analytic35-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'"
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs."
}
}
]
@@ -706,13 +657,13 @@
{
"name": "analytic36",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to DNS Events (ASIM DNS schema)",
+ "label": "TI Map URL Entity to AuditLogs",
"elements": [
{
"name": "analytic36-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema."
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents."
}
}
]
@@ -720,13 +671,13 @@
{
"name": "analytic37",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to Network Session Events (ASIM Network Session schema)",
+ "label": "TI Map URL Entity to EmailUrlInfo",
"elements": [
{
"name": "analytic37-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo."
}
}
]
@@ -734,11 +685,137 @@
{
"name": "analytic38",
"type": "Microsoft.Common.Section",
- "label": "TI map IP entity to GitHub_CL",
+ "label": "TI Map URL Entity to OfficeActivity Data [Deprecated]",
"elements": [
{
"name": "analytic38-text",
"type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic39",
+ "type": "Microsoft.Common.Section",
+ "label": "TI Map URL Entity to PaloAlto Data",
+ "elements": [
+ {
+ "name": "analytic39-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic40",
+ "type": "Microsoft.Common.Section",
+ "label": "TI Map URL Entity to SecurityAlert Data",
+ "elements": [
+ {
+ "name": "analytic40-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic41",
+ "type": "Microsoft.Common.Section",
+ "label": "TI Map URL Entity to Syslog Data",
+ "elements": [
+ {
+ "name": "analytic41-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic42",
+ "type": "Microsoft.Common.Section",
+ "label": "TI Map URL Entity to UrlClickEvents",
+ "elements": [
+ {
+ "name": "analytic42-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic43",
+ "type": "Microsoft.Common.Section",
+ "label": "TI Map IP Entity to Duo Security",
+ "elements": [
+ {
+ "name": "analytic43-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic44",
+ "type": "Microsoft.Common.Section",
+ "label": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
+ "elements": [
+ {
+ "name": "analytic44-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic45",
+ "type": "Microsoft.Common.Section",
+ "label": "TI map IP entity to DNS Events (ASIM DNS schema)",
+ "elements": [
+ {
+ "name": "analytic45-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic46",
+ "type": "Microsoft.Common.Section",
+ "label": "TI map IP entity to Network Session Events (ASIM Network Session schema)",
+ "elements": [
+ {
+ "name": "analytic46-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic47",
+ "type": "Microsoft.Common.Section",
+ "label": "TI map IP entity to GitHub_CL",
+ "elements": [
+ {
+ "name": "analytic47-text",
+ "type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a match in GitHub_CL table from any IP IOC from TI"
}
diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json
index 3421e204aa..0f3728c8c3 100644
--- a/Solutions/Threat Intelligence/Package/mainTemplate.json
+++ b/Solutions/Threat Intelligence/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Threat Intelligence",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "ThreatIntelligenceTaxii",
@@ -87,266 +87,361 @@
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "huntingQueryVersion1": "1.0.3",
- "huntingQuerycontentId1": "410da56d-4a63-4d22-b68c-9fb1a303be6d",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "huntingQueryVersion2": "1.0.3",
- "huntingQuerycontentId2": "233441b9-cc92-4c9b-87fa-73b855fcd4b8",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
- "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
- "huntingQueryVersion3": "1.0.3",
- "huntingQuerycontentId3": "18f7de84-de55-4983-aca3-a18bc846b4e0",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
- "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
- "huntingQueryVersion4": "1.0.3",
- "huntingQuerycontentId4": "172a321b-c46b-4508-87c6-e2691c778107",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
- "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
- "huntingQueryVersion5": "1.0.3",
- "huntingQuerycontentId5": "689a9475-440b-4e69-8ab1-a5e241685f39",
- "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
- "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
- "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
- "analyticRuleVersion1": "1.4.0",
- "analyticRulecontentId1": "dd0a6029-ecef-4507-89c4-fc355ac52111",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.4.0",
- "analyticRulecontentId2": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.4",
- "analyticRulecontentId3": "b1832f60-6c3d-4722-a0a5-3d564ee61a63",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.4.0",
- "analyticRulecontentId4": "ec21493c-2684-4acd-9bc2-696dbad72426",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.4.1",
- "analyticRulecontentId5": "87890d78-3e05-43ec-9ab9-ba32f4e01250",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.4.0",
- "analyticRulecontentId6": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.2.4",
- "analyticRulecontentId7": "cca3b4d9-ac39-4109-8b93-65bb284003e6",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.2.4",
- "analyticRulecontentId8": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.2.4",
- "analyticRulecontentId9": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
- "analyticRuleVersion10": "1.2.5",
- "analyticRulecontentId10": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
- "analyticRuleVersion11": "1.3.4",
- "analyticRulecontentId11": "2fc5d810-c9cc-491a-b564-841427ae0e50",
- "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
- "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
- "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]",
- "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]",
- "analyticRuleVersion12": "1.2.4",
- "analyticRulecontentId12": "30fa312c-31eb-43d8-b0cc-bcbdfb360822",
- "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]",
- "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]",
- "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]",
- "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]",
- "analyticRuleVersion13": "1.3.3",
- "analyticRulecontentId13": "5d33fc63-b83b-4913-b95e-94d13f0d379f",
- "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]",
- "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]",
- "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]",
- "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]",
- "analyticRuleVersion14": "1.4.3",
- "analyticRulecontentId14": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf",
- "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]",
- "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]",
- "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]",
- "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]",
- "analyticRuleVersion15": "1.4.0",
- "analyticRulecontentId15": "f9949656-473f-4503-bf43-a9d9890f7d08",
- "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]",
- "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]",
- "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]",
- "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]",
- "analyticRuleVersion16": "1.4.0",
- "analyticRulecontentId16": "f110287e-1358-490d-8147-ed804b328514",
- "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]",
- "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]",
- "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]",
- "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]",
- "analyticRuleVersion17": "1.3.2",
- "analyticRulecontentId17": "2441bce9-02e4-407b-8cc7-7d597f38b8b0",
- "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]",
- "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]",
- "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]",
- "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]",
- "analyticRuleVersion18": "1.3.0",
- "analyticRulecontentId18": "0b904747-1336-4363-8d84-df2710bfe5e7",
- "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]",
- "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]",
- "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]",
- "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]",
- "analyticRuleVersion19": "1.3.1",
- "analyticRulecontentId19": "57c7e832-64eb-411f-8928-4133f01f4a25",
- "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]",
- "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]",
- "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]",
- "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]",
- "analyticRuleVersion20": "1.4.0",
- "analyticRulecontentId20": "a4025a76-6490-4e6b-bb69-d02be4b03f07",
- "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]",
- "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]",
- "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]",
- "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]",
- "analyticRuleVersion21": "1.3.0",
- "analyticRulecontentId21": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85",
- "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]",
- "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]",
- "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]",
- "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]",
- "analyticRuleVersion22": "1.2.0",
- "analyticRulecontentId22": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe",
- "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]",
- "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]",
- "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]",
- "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]",
- "analyticRuleVersion23": "1.4.0",
- "analyticRulecontentId23": "69b7723c-2889-469f-8b55-a2d355ed9c87",
- "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]",
- "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]",
- "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]",
- "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]",
- "analyticRuleVersion24": "1.2.3",
- "analyticRulecontentId24": "e2559891-383c-4caf-ae67-55a008b9f89e",
- "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]",
- "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]",
- "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]",
- "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]",
- "analyticRuleVersion25": "1.4.0",
- "analyticRulecontentId25": "f15370f4-c6fa-42c5-9be4-1d308f40284e",
- "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]",
- "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]",
- "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]",
- "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]",
- "analyticRuleVersion26": "1.2.5",
- "analyticRulecontentId26": "f2eb15bd-8a88-4b24-9281-e133edfba315",
- "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]",
- "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]",
- "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]",
- "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]",
- "analyticRuleVersion27": "1.4.0",
- "analyticRulecontentId27": "9713e3c0-1410-468d-b79e-383448434b2d",
- "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]",
- "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]",
- "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]",
- "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]",
- "analyticRuleVersion28": "1.4.0",
- "analyticRulecontentId28": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f",
- "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]",
- "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]",
- "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]",
- "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]",
- "analyticRuleVersion29": "1.2.4",
- "analyticRulecontentId29": "712fab52-2a7d-401e-a08c-ff939cc7c25e",
- "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]",
- "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]",
- "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]",
- "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]",
- "analyticRuleVersion30": "1.2.5",
- "analyticRulecontentId30": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b",
- "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]",
- "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]",
- "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]",
- "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]",
- "analyticRuleVersion31": "1.2.3",
- "analyticRulecontentId31": "106813db-679e-4382-a51b-1bfc463befc3",
- "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]",
- "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]",
- "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]",
- "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]",
- "analyticRuleVersion32": "1.2.6",
- "analyticRulecontentId32": "f30a47c1-65fb-42b1-a7f4-00941c12550b",
- "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]",
- "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]",
- "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]",
- "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]",
- "analyticRuleVersion33": "1.2.4",
- "analyticRulecontentId33": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf",
- "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]",
- "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]",
- "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]",
- "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]",
- "analyticRuleVersion34": "1.0.3",
- "analyticRulecontentId34": "d23ed927-5be3-4902-a9c1-85f841eb4fa1",
- "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]",
- "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]",
- "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]",
- "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]",
- "analyticRuleVersion35": "1.1.4",
- "analyticRulecontentId35": "999e9f5d-db4a-4b07-a206-29c4e667b7e8",
- "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]",
- "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]",
- "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]",
- "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]",
- "analyticRuleVersion36": "1.2.2",
- "analyticRulecontentId36": "67775878-7f8b-4380-ac54-115e1e828901",
- "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]",
- "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]",
- "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]",
- "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]",
- "analyticRuleVersion37": "1.2.4",
- "analyticRulecontentId37": "e2399891-383c-4caf-ae67-68a008b9f89e",
- "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]",
- "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]",
- "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]",
- "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]",
- "analyticRuleVersion38": "1.0.2",
- "analyticRulecontentId38": "aac495a9-feb1-446d-b08e-a1164a539452",
- "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]",
- "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]",
- "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]",
- "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]",
- "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
- "management": "[concat('https://management','.azure','.com/')]"
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.3",
+ "_huntingQuerycontentId1": "410da56d-4a63-4d22-b68c-9fb1a303be6d",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('410da56d-4a63-4d22-b68c-9fb1a303be6d')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.3",
+ "_huntingQuerycontentId2": "233441b9-cc92-4c9b-87fa-73b855fcd4b8",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('233441b9-cc92-4c9b-87fa-73b855fcd4b8')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.3",
+ "_huntingQuerycontentId3": "18f7de84-de55-4983-aca3-a18bc846b4e0",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('18f7de84-de55-4983-aca3-a18bc846b4e0')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.3",
+ "_huntingQuerycontentId4": "172a321b-c46b-4508-87c6-e2691c778107",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('172a321b-c46b-4508-87c6-e2691c778107')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.3",
+ "_huntingQuerycontentId5": "689a9475-440b-4e69-8ab1-a5e241685f39",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('689a9475-440b-4e69-8ab1-a5e241685f39')))]"
+ },
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.4.1",
+ "_analyticRulecontentId1": "dd0a6029-ecef-4507-89c4-fc355ac52111",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dd0a6029-ecef-4507-89c4-fc355ac52111')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dd0a6029-ecef-4507-89c4-fc355ac52111')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd0a6029-ecef-4507-89c4-fc355ac52111','-', '1.4.1')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.0",
+ "_analyticRulecontentId2": "c308b2f3-eebe-4a20-905c-cb8293b062db",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c308b2f3-eebe-4a20-905c-cb8293b062db')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c308b2f3-eebe-4a20-905c-cb8293b062db')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c308b2f3-eebe-4a20-905c-cb8293b062db','-', '1.0.0')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.4.1",
+ "_analyticRulecontentId3": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '85aca4d1-5d15-4001-abd9-acb86ca1786a')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('85aca4d1-5d15-4001-abd9-acb86ca1786a')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85aca4d1-5d15-4001-abd9-acb86ca1786a','-', '1.4.1')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.0",
+ "_analyticRulecontentId4": "96307710-8bb9-4b45-8363-a90c72ebf86f",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '96307710-8bb9-4b45-8363-a90c72ebf86f')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('96307710-8bb9-4b45-8363-a90c72ebf86f')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','96307710-8bb9-4b45-8363-a90c72ebf86f','-', '1.0.0')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.0",
+ "_analyticRulecontentId5": "87cc75df-d7b2-44f1-b064-ee924edfc879",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87cc75df-d7b2-44f1-b064-ee924edfc879')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87cc75df-d7b2-44f1-b064-ee924edfc879')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87cc75df-d7b2-44f1-b064-ee924edfc879','-', '1.0.0')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.5",
+ "_analyticRulecontentId6": "b1832f60-6c3d-4722-a0a5-3d564ee61a63",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b1832f60-6c3d-4722-a0a5-3d564ee61a63')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b1832f60-6c3d-4722-a0a5-3d564ee61a63')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b1832f60-6c3d-4722-a0a5-3d564ee61a63','-', '1.0.5')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.4.1",
+ "_analyticRulecontentId7": "ec21493c-2684-4acd-9bc2-696dbad72426",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ec21493c-2684-4acd-9bc2-696dbad72426')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ec21493c-2684-4acd-9bc2-696dbad72426')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ec21493c-2684-4acd-9bc2-696dbad72426','-', '1.4.1')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.4.2",
+ "_analyticRulecontentId8": "87890d78-3e05-43ec-9ab9-ba32f4e01250",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87890d78-3e05-43ec-9ab9-ba32f4e01250')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87890d78-3e05-43ec-9ab9-ba32f4e01250')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87890d78-3e05-43ec-9ab9-ba32f4e01250','-', '1.4.2')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.4.1",
+ "_analyticRulecontentId9": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','532f62c1-fba6-4baa-bbb6-4a32a4ef32fa','-', '1.4.1')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.2.5",
+ "_analyticRulecontentId10": "cca3b4d9-ac39-4109-8b93-65bb284003e6",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cca3b4d9-ac39-4109-8b93-65bb284003e6')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cca3b4d9-ac39-4109-8b93-65bb284003e6')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cca3b4d9-ac39-4109-8b93-65bb284003e6','-', '1.2.5')))]"
+ },
+ "analyticRuleObject11": {
+ "analyticRuleVersion11": "1.0.0",
+ "_analyticRulecontentId11": "11f7c6e3-f066-4b3c-9a81-b487ec0a6873",
+ "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11f7c6e3-f066-4b3c-9a81-b487ec0a6873')]",
+ "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11f7c6e3-f066-4b3c-9a81-b487ec0a6873')))]",
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11f7c6e3-f066-4b3c-9a81-b487ec0a6873','-', '1.0.0')))]"
+ },
+ "analyticRuleObject12": {
+ "analyticRuleVersion12": "1.2.5",
+ "_analyticRulecontentId12": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2",
+ "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2')]",
+ "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2')))]",
+ "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2','-', '1.2.5')))]"
+ },
+ "analyticRuleObject13": {
+ "analyticRuleVersion13": "1.2.5",
+ "_analyticRulecontentId13": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63",
+ "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ffcd575b-3d54-482a-a6d8-d0de13b6ac63')]",
+ "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ffcd575b-3d54-482a-a6d8-d0de13b6ac63')))]",
+ "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ffcd575b-3d54-482a-a6d8-d0de13b6ac63','-', '1.2.5')))]"
+ },
+ "analyticRuleObject14": {
+ "analyticRuleVersion14": "1.2.6",
+ "_analyticRulecontentId14": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc",
+ "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc')]",
+ "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc')))]",
+ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc','-', '1.2.6')))]"
+ },
+ "analyticRuleObject15": {
+ "analyticRuleVersion15": "1.3.5",
+ "_analyticRulecontentId15": "2fc5d810-c9cc-491a-b564-841427ae0e50",
+ "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2fc5d810-c9cc-491a-b564-841427ae0e50')]",
+ "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2fc5d810-c9cc-491a-b564-841427ae0e50')))]",
+ "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2fc5d810-c9cc-491a-b564-841427ae0e50','-', '1.3.5')))]"
+ },
+ "analyticRuleObject16": {
+ "analyticRuleVersion16": "1.2.5",
+ "_analyticRulecontentId16": "30fa312c-31eb-43d8-b0cc-bcbdfb360822",
+ "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30fa312c-31eb-43d8-b0cc-bcbdfb360822')]",
+ "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30fa312c-31eb-43d8-b0cc-bcbdfb360822')))]",
+ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30fa312c-31eb-43d8-b0cc-bcbdfb360822','-', '1.2.5')))]"
+ },
+ "analyticRuleObject17": {
+ "analyticRuleVersion17": "1.3.4",
+ "_analyticRulecontentId17": "5d33fc63-b83b-4913-b95e-94d13f0d379f",
+ "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5d33fc63-b83b-4913-b95e-94d13f0d379f')]",
+ "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5d33fc63-b83b-4913-b95e-94d13f0d379f')))]",
+ "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5d33fc63-b83b-4913-b95e-94d13f0d379f','-', '1.3.4')))]"
+ },
+ "analyticRuleObject18": {
+ "analyticRuleVersion18": "1.0.0",
+ "_analyticRulecontentId18": "bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7",
+ "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')]",
+ "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')))]",
+ "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7','-', '1.0.0')))]"
+ },
+ "analyticRuleObject19": {
+ "analyticRuleVersion19": "1.4.4",
+ "_analyticRulecontentId19": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf",
+ "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7427ed7-04b4-4e3b-b323-08b981b9b4bf')]",
+ "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a7427ed7-04b4-4e3b-b323-08b981b9b4bf')))]",
+ "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a7427ed7-04b4-4e3b-b323-08b981b9b4bf','-', '1.4.4')))]"
+ },
+ "analyticRuleObject20": {
+ "analyticRuleVersion20": "1.5.1",
+ "_analyticRulecontentId20": "f9949656-473f-4503-bf43-a9d9890f7d08",
+ "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f9949656-473f-4503-bf43-a9d9890f7d08')]",
+ "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f9949656-473f-4503-bf43-a9d9890f7d08')))]",
+ "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f9949656-473f-4503-bf43-a9d9890f7d08','-', '1.5.1')))]"
+ },
+ "analyticRuleObject21": {
+ "analyticRuleVersion21": "1.4.1",
+ "_analyticRulecontentId21": "f110287e-1358-490d-8147-ed804b328514",
+ "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f110287e-1358-490d-8147-ed804b328514')]",
+ "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f110287e-1358-490d-8147-ed804b328514')))]",
+ "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f110287e-1358-490d-8147-ed804b328514','-', '1.4.1')))]"
+ },
+ "analyticRuleObject22": {
+ "analyticRuleVersion22": "1.4.1",
+ "_analyticRulecontentId22": "2441bce9-02e4-407b-8cc7-7d597f38b8b0",
+ "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2441bce9-02e4-407b-8cc7-7d597f38b8b0')]",
+ "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2441bce9-02e4-407b-8cc7-7d597f38b8b0')))]",
+ "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2441bce9-02e4-407b-8cc7-7d597f38b8b0','-', '1.4.1')))]"
+ },
+ "analyticRuleObject23": {
+ "analyticRuleVersion23": "1.3.1",
+ "_analyticRulecontentId23": "0b904747-1336-4363-8d84-df2710bfe5e7",
+ "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0b904747-1336-4363-8d84-df2710bfe5e7')]",
+ "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0b904747-1336-4363-8d84-df2710bfe5e7')))]",
+ "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0b904747-1336-4363-8d84-df2710bfe5e7','-', '1.3.1')))]"
+ },
+ "analyticRuleObject24": {
+ "analyticRuleVersion24": "1.3.3",
+ "_analyticRulecontentId24": "57c7e832-64eb-411f-8928-4133f01f4a25",
+ "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57c7e832-64eb-411f-8928-4133f01f4a25')]",
+ "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57c7e832-64eb-411f-8928-4133f01f4a25')))]",
+ "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57c7e832-64eb-411f-8928-4133f01f4a25','-', '1.3.3')))]"
+ },
+ "analyticRuleObject25": {
+ "analyticRuleVersion25": "1.4.1",
+ "_analyticRulecontentId25": "a4025a76-6490-4e6b-bb69-d02be4b03f07",
+ "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a4025a76-6490-4e6b-bb69-d02be4b03f07')]",
+ "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a4025a76-6490-4e6b-bb69-d02be4b03f07')))]",
+ "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a4025a76-6490-4e6b-bb69-d02be4b03f07','-', '1.4.1')))]"
+ },
+ "analyticRuleObject26": {
+ "analyticRuleVersion26": "1.3.1",
+ "_analyticRulecontentId26": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85",
+ "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd0aa8969-1bbe-4da3-9e76-09e5f67c9d85')]",
+ "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d0aa8969-1bbe-4da3-9e76-09e5f67c9d85')))]",
+ "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d0aa8969-1bbe-4da3-9e76-09e5f67c9d85','-', '1.3.1')))]"
+ },
+ "analyticRuleObject27": {
+ "analyticRuleVersion27": "1.2.1",
+ "_analyticRulecontentId27": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe",
+ "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '66c81ae2-1f89-4433-be00-2fbbd9ba5ebe')]",
+ "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('66c81ae2-1f89-4433-be00-2fbbd9ba5ebe')))]",
+ "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','66c81ae2-1f89-4433-be00-2fbbd9ba5ebe','-', '1.2.1')))]"
+ },
+ "analyticRuleObject28": {
+ "analyticRuleVersion28": "1.0.0",
+ "_analyticRulecontentId28": "b2df4979-d34a-48b3-a7d9-f473a4bf8058",
+ "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2df4979-d34a-48b3-a7d9-f473a4bf8058')]",
+ "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2df4979-d34a-48b3-a7d9-f473a4bf8058')))]",
+ "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2df4979-d34a-48b3-a7d9-f473a4bf8058','-', '1.0.0')))]"
+ },
+ "analyticRuleObject29": {
+ "analyticRuleVersion29": "1.4.1",
+ "_analyticRulecontentId29": "69b7723c-2889-469f-8b55-a2d355ed9c87",
+ "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '69b7723c-2889-469f-8b55-a2d355ed9c87')]",
+ "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('69b7723c-2889-469f-8b55-a2d355ed9c87')))]",
+ "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','69b7723c-2889-469f-8b55-a2d355ed9c87','-', '1.4.1')))]"
+ },
+ "analyticRuleObject30": {
+ "analyticRuleVersion30": "1.2.4",
+ "_analyticRulecontentId30": "e2559891-383c-4caf-ae67-55a008b9f89e",
+ "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e2559891-383c-4caf-ae67-55a008b9f89e')]",
+ "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e2559891-383c-4caf-ae67-55a008b9f89e')))]",
+ "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e2559891-383c-4caf-ae67-55a008b9f89e','-', '1.2.4')))]"
+ },
+ "analyticRuleObject31": {
+ "analyticRuleVersion31": "1.4.1",
+ "_analyticRulecontentId31": "f15370f4-c6fa-42c5-9be4-1d308f40284e",
+ "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f15370f4-c6fa-42c5-9be4-1d308f40284e')]",
+ "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f15370f4-c6fa-42c5-9be4-1d308f40284e')))]",
+ "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f15370f4-c6fa-42c5-9be4-1d308f40284e','-', '1.4.1')))]"
+ },
+ "analyticRuleObject32": {
+ "analyticRuleVersion32": "1.2.6",
+ "_analyticRulecontentId32": "f2eb15bd-8a88-4b24-9281-e133edfba315",
+ "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f2eb15bd-8a88-4b24-9281-e133edfba315')]",
+ "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f2eb15bd-8a88-4b24-9281-e133edfba315')))]",
+ "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f2eb15bd-8a88-4b24-9281-e133edfba315','-', '1.2.6')))]"
+ },
+ "analyticRuleObject33": {
+ "analyticRuleVersion33": "1.4.1",
+ "_analyticRulecontentId33": "9713e3c0-1410-468d-b79e-383448434b2d",
+ "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9713e3c0-1410-468d-b79e-383448434b2d')]",
+ "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9713e3c0-1410-468d-b79e-383448434b2d')))]",
+ "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9713e3c0-1410-468d-b79e-383448434b2d','-', '1.4.1')))]"
+ },
+ "analyticRuleObject34": {
+ "analyticRuleVersion34": "1.4.1",
+ "_analyticRulecontentId34": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f",
+ "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5e45930c-09b1-4430-b2d1-cc75ada0dc0f')]",
+ "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5e45930c-09b1-4430-b2d1-cc75ada0dc0f')))]",
+ "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5e45930c-09b1-4430-b2d1-cc75ada0dc0f','-', '1.4.1')))]"
+ },
+ "analyticRuleObject35": {
+ "analyticRuleVersion35": "1.2.5",
+ "_analyticRulecontentId35": "712fab52-2a7d-401e-a08c-ff939cc7c25e",
+ "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '712fab52-2a7d-401e-a08c-ff939cc7c25e')]",
+ "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('712fab52-2a7d-401e-a08c-ff939cc7c25e')))]",
+ "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','712fab52-2a7d-401e-a08c-ff939cc7c25e','-', '1.2.5')))]"
+ },
+ "analyticRuleObject36": {
+ "analyticRuleVersion36": "1.0.0",
+ "_analyticRulecontentId36": "6ddbd892-a9be-47be-bab7-521241695bd6",
+ "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ddbd892-a9be-47be-bab7-521241695bd6')]",
+ "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ddbd892-a9be-47be-bab7-521241695bd6')))]",
+ "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ddbd892-a9be-47be-bab7-521241695bd6','-', '1.0.0')))]"
+ },
+ "analyticRuleObject37": {
+ "analyticRuleVersion37": "1.0.0",
+ "_analyticRulecontentId37": "a0038239-72f4-4f7b-90ff-37f89f7881e0",
+ "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a0038239-72f4-4f7b-90ff-37f89f7881e0')]",
+ "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a0038239-72f4-4f7b-90ff-37f89f7881e0')))]",
+ "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a0038239-72f4-4f7b-90ff-37f89f7881e0','-', '1.0.0')))]"
+ },
+ "analyticRuleObject38": {
+ "analyticRuleVersion38": "1.2.6",
+ "_analyticRulecontentId38": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b",
+ "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]",
+ "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')))]",
+ "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b','-', '1.2.6')))]"
+ },
+ "analyticRuleObject39": {
+ "analyticRuleVersion39": "1.2.4",
+ "_analyticRulecontentId39": "106813db-679e-4382-a51b-1bfc463befc3",
+ "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '106813db-679e-4382-a51b-1bfc463befc3')]",
+ "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('106813db-679e-4382-a51b-1bfc463befc3')))]",
+ "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','106813db-679e-4382-a51b-1bfc463befc3','-', '1.2.4')))]"
+ },
+ "analyticRuleObject40": {
+ "analyticRuleVersion40": "1.2.7",
+ "_analyticRulecontentId40": "f30a47c1-65fb-42b1-a7f4-00941c12550b",
+ "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f30a47c1-65fb-42b1-a7f4-00941c12550b')]",
+ "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f30a47c1-65fb-42b1-a7f4-00941c12550b')))]",
+ "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f30a47c1-65fb-42b1-a7f4-00941c12550b','-', '1.2.7')))]"
+ },
+ "analyticRuleObject41": {
+ "analyticRuleVersion41": "1.2.5",
+ "_analyticRulecontentId41": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf",
+ "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf')]",
+ "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf')))]",
+ "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf','-', '1.2.5')))]"
+ },
+ "analyticRuleObject42": {
+ "analyticRuleVersion42": "1.0.0",
+ "_analyticRulecontentId42": "23391c84-87d8-452f-a84c-47a62f01e115",
+ "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '23391c84-87d8-452f-a84c-47a62f01e115')]",
+ "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('23391c84-87d8-452f-a84c-47a62f01e115')))]",
+ "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','23391c84-87d8-452f-a84c-47a62f01e115','-', '1.0.0')))]"
+ },
+ "analyticRuleObject43": {
+ "analyticRuleVersion43": "1.0.4",
+ "_analyticRulecontentId43": "d23ed927-5be3-4902-a9c1-85f841eb4fa1",
+ "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd23ed927-5be3-4902-a9c1-85f841eb4fa1')]",
+ "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d23ed927-5be3-4902-a9c1-85f841eb4fa1')))]",
+ "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d23ed927-5be3-4902-a9c1-85f841eb4fa1','-', '1.0.4')))]"
+ },
+ "analyticRuleObject44": {
+ "analyticRuleVersion44": "1.1.5",
+ "_analyticRulecontentId44": "999e9f5d-db4a-4b07-a206-29c4e667b7e8",
+ "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
+ "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('999e9f5d-db4a-4b07-a206-29c4e667b7e8')))]",
+ "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','999e9f5d-db4a-4b07-a206-29c4e667b7e8','-', '1.1.5')))]"
+ },
+ "analyticRuleObject45": {
+ "analyticRuleVersion45": "1.2.3",
+ "_analyticRulecontentId45": "67775878-7f8b-4380-ac54-115e1e828901",
+ "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67775878-7f8b-4380-ac54-115e1e828901')]",
+ "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67775878-7f8b-4380-ac54-115e1e828901')))]",
+ "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67775878-7f8b-4380-ac54-115e1e828901','-', '1.2.3')))]"
+ },
+ "analyticRuleObject46": {
+ "analyticRuleVersion46": "1.2.5",
+ "_analyticRulecontentId46": "e2399891-383c-4caf-ae67-68a008b9f89e",
+ "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e2399891-383c-4caf-ae67-68a008b9f89e')]",
+ "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e2399891-383c-4caf-ae67-68a008b9f89e')))]",
+ "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e2399891-383c-4caf-ae67-68a008b9f89e','-', '1.2.5')))]"
+ },
+ "analyticRuleObject47": {
+ "analyticRuleVersion47": "1.0.3",
+ "_analyticRulecontentId47": "aac495a9-feb1-446d-b08e-a1164a539452",
+ "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aac495a9-feb1-446d-b08e-a1164a539452')]",
+ "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aac495a9-feb1-446d-b08e-a1164a539452')))]",
+ "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aac495a9-feb1-446d-b08e-a1164a539452','-', '1.0.3')))]"
+ },
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
@@ -358,7 +453,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Threat Intelligence data connector with template version 3.0.1",
+ "description": "Threat Intelligence data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -517,7 +612,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Threat Intelligence data connector with template version 3.0.1",
+ "description": "Threat Intelligence data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -676,7 +771,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Threat Intelligence data connector with template version 3.0.1",
+ "description": "Threat Intelligence data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion3')]",
@@ -688,7 +783,7 @@
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId3')]",
@@ -702,18 +797,6 @@
"baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'"
}
],
- "sampleQueries": [
- {
- "description": "All Threat Intelligence APIs Indicators",
- "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "ThreatIntelligenceIndicator",
- "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)"
- }
- ],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
@@ -722,40 +805,10 @@
]
}
],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.SecurityInsights/threatintelligence/write",
- "permissionsDisplayText": "write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ",
- "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: "
- },
- {
- "title": "Follow These Steps to Connect to your Threat Intelligence: "
- },
- {
- "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]",
- "title": "1. Get AAD Access Token"
- },
+ "dataTypes": [
{
- "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
- "title": "2. Send indicators to Sentinel"
+ "name": "ThreatIntelligenceIndicator",
+ "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)"
}
]
}
@@ -837,7 +890,7 @@
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"title": "Threat Intelligence Upload Indicators API (Preview)",
@@ -864,48 +917,6 @@
]
}
],
- "sampleQueries": [
- {
- "description": "All Threat Intelligence APIs Indicators",
- "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.SecurityInsights/threatintelligence/write",
- "permissionsDisplayText": "write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ",
- "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: "
- },
- {
- "title": "Follow These Steps to Connect to your Threat Intelligence: "
- },
- {
- "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]",
- "title": "1. Get AAD Access Token"
- },
- {
- "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
- "title": "2. Send indicators to Sentinel"
- }
- ],
"id": "[variables('_uiConfigId3')]"
}
}
@@ -919,7 +930,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Threat Intelligence data connector with template version 3.0.1",
+ "description": "Threat Intelligence data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion4')]",
@@ -1078,7 +1089,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ThreatIntelligenceWorkbook Workbook with template version 3.0.1",
+ "description": "ThreatIntelligence Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1096,7 +1107,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\" Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\" Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1107,7 +1118,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=ThreatIntelligenceWorkbook; logoFileName=; description=Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=5.0.0; title=Threat Intelligence; templateRelativePath=ThreatIntelligence.json; subtitle=; provider=Microsoft}.description",
+ "description": "@{workbookKey=ThreatIntelligenceWorkbook; logoFileName=Azure_Sentinel.svg; description=Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=5.0.0; title=Threat Intelligence; templateRelativePath=ThreatIntelligence.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
@@ -1168,16 +1179,16 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
@@ -1207,13 +1218,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Threat Intelligence Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1238,27 +1249,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "TI Map File Entity to OfficeActivity Event",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
@@ -1288,13 +1299,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Threat Intelligence Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1319,27 +1330,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "TI Map File Entity to Security Event",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
@@ -1369,13 +1380,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Threat Intelligence Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1400,27 +1411,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"contentKind": "HuntingQuery",
"displayName": "TI Map File Entity to Syslog Event",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
@@ -1450,13 +1461,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Threat Intelligence Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1481,27 +1492,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"contentKind": "HuntingQuery",
"displayName": "TI Map File Entity to VMConnection Event",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
@@ -1531,13 +1542,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "Threat Intelligence Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1562,41 +1573,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"contentKind": "HuntingQuery",
"displayName": "TI Map File Entity to WireData Event",
- "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
- "id": "[variables('_huntingQuerycontentProductId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI",
- "displayName": "TI map Domain entity to CommonSecurityLog",
+ "description": "Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to PaloAlto CommonSecurityLog",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour\nlet ioc_lookBack = 14d; // Look back 14 days\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\nlet list_tlds =\n ThreatIntelligenceIndicator\n // Filter indicators based on the specified time range and active indicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n // Convert domain names to lowercase for consistency\n | extend DomainName = tolower(DomainName)\n // Split domain names into parts and extract the TLD\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Count the occurrences of each TLD\n | summarize count() by tostring(tld)\n // Create a list of TLDs\n | summarize make_list(tld);\n// Retrieve threat intelligence indicators within the specified time range\nlet Domain_Indicators =\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter indicators that have a non-empty domain name\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join threat intelligence indicators with common security logs\nDomain_Indicators\n| join kind=innerunique (\n CommonSecurityLog\n // Filter common security logs based on the specified time range\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\\\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim('\"', tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Validate parsed domain by checking if the TLD is in the threat feed's TLD list\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity == $right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour\nlet ioc_lookBack = 14d; // Look back 14 days\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\nlet SecurityLog = materialize(\n CommonSecurityLog\n // Filter common security logs based on the specified time range\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\\\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim('\"', tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n);\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\n// Retrieve threat intelligence indicators within the specified time range\nlet Domain_Indicators = materialize(\n ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_DomainEntity = tolower(DomainName)\n | where TI_DomainEntity in (LogDomains)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now());\n// Join threat intelligence indicators with common security logs\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -1607,22 +1618,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -1662,13 +1673,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1693,41 +1704,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to CommonSecurityLog",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "displayName": "TI map Domain entity to PaloAlto CommonSecurityLog",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in DnsEvents from any Domain IOC from TI",
- "displayName": "TI map Domain entity to DnsEvents",
+ "description": "This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.",
+ "displayName": "TI Map Domain Entity to DeviceNetworkEvents",
"enabled": false,
- "query": "// Define the lookback periods for time-based filters\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to domains\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without domain names\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Create a list of TLDs in our threat feed for later validation\nlet maxListSize = 100000; // Define the maximum allowed size for each list\nlet list_tlds = Domain_Indicators\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | project tld\n | summarize make_list(tld, maxListSize);\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\nDomain_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Name\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = DNS_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n | where isnotempty(RemoteUrl)\n | where TimeGenerated >= ago(dt_lookBack)\n | where ActionType !has \"ConnectionFailed\"\n | extend Domain = tostring(parse_url(tolower(RemoteUrl)).Host)\n | where isnotempty(Domain)\n | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;\nlet DeviceNetworkEventDomains = DeviceNetworkEvents_\n | distinct Domain\n | summarize make_list(Domain);\nThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (DeviceNetworkEventDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.TI_Domain == $right.Domain\n| where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime\n| summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, TI_Domain\n| project DeviceNetworkEvents_TimeGenerated, IndicatorId, TI_Domain, Url = RemoteUrl, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort\n| extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n| extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -1738,28 +1749,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DNS",
"dataTypes": [
- "DnsEvents"
- ]
+ "DeviceNetworkEvents"
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -1767,24 +1778,24 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
{
- "entityType": "IP",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "ClientIP"
+ "identifier": "FullName",
+ "columnName": "DeviceName"
}
]
},
@@ -1796,6 +1807,15 @@
"columnName": "Url"
}
]
+ },
+ {
+ "entityType": "Process",
+ "fieldMappings": [
+ {
+ "identifier": "CommandLine",
+ "columnName": "InitiatingProcessCommandLine"
+ }
+ ]
}
]
}
@@ -1803,13 +1823,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1834,41 +1854,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to DnsEvents",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "displayName": "TI Map Domain Entity to DeviceNetworkEvents",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies Web Sessions for which the target URL hostname is a known IoC.
This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.",
- "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
+ "description": "Identifies a match in DnsEvents from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to DnsEvents",
"enabled": false,
- "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet DOMAIN_TI=ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName);\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \n | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\nDOMAIN_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\n //Extract domain patterns from syslog message\n | extend domain = tostring(parse_url(Url)[\"Host\"])\n | where isnotempty(domain)\n | extend tld = tostring(split(domain, '.')[-1])\n | extend Event_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Event_TimeGenerated < ExpirationDateTime\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url \n",
+ "query": "// Define the lookback periods for time-based filters\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to domains\nlet Domain_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without domain names\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\n// Create a list of TLDs in our threat feed for later validation\nlet maxListSize = 100000; // Define the maximum allowed size for each list\nlet list_tlds = Domain_Indicators\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | project tld\n | summarize make_list(tld, maxListSize);\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\nDomain_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Name\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = DNS_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -1879,40 +1899,53 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SquidProxy",
"dataTypes": [
- "SquidProxy_CL"
- ]
+ "DnsEvents"
+ ],
+ "connectorId": "DNS"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
+ }
+ ]
+ },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "ClientIP"
}
]
},
@@ -1925,32 +1958,19 @@
}
]
}
- ],
- "customDetails": {
- "IoCExpirationTime": "ExpirationDateTime",
- "IndicatorId": "IndicatorId",
- "IoCConfidenceScore": "ConfidenceScore",
- "IoCDescription": "Description",
- "EventTime": "Event_TimeGenerated",
- "ThreatType": "ThreatType",
- "ActivityGroupNames": "ActivityGroupNames"
- },
- "alertDetailsOverride": {
- "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC",
- "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator."
- }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -1975,41 +1995,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "displayName": "TI map Domain entity to DnsEvents",
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
- "displayName": "TI map Domain entity to PaloAlto",
+ "description": "Identifies a match in EmailEvents table from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to EmailEvents",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\nlet list_tlds = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Join with CommonSecurityLog to find potential malicious activity\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n // | where DeviceAction !~ \"block-url\"\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = coalesce(RequestURL, \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"http://\" and PA_Url !startswith \"https://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), PA_Url)\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url)\n | extend Domain = trim(@\"\"\"\", tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity == $right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n // Select the desired fields for the final result set\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\n | extend timestamp = CommonSecurityLog_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has \"Blocked\" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromDomain = tolower(SenderFromDomain) | extend RecipientEmailDomain = tolower(tostring(split(RecipientEmailAddress, '@', 1))));\nlet SenderDomains = EmailEvents_ | distinct SenderFromDomain | summarize make_list(SenderFromDomain);\nlet RecipientDomains = EmailEvents_ | distinct RecipientEmailDomain | summarize make_list(RecipientEmailDomain);\nlet TI = materialize(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (SenderDomains) or TI_Domain in (RecipientDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\n(union\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.SenderFromDomain),\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.RecipientEmailDomain))\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress\n| project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_Domain, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2020,28 +2040,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "EmailEvents"
+ ],
+ "connectorId": "Office365"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2049,29 +2069,15 @@
],
"entityMappings": [
{
- "entityType": "Host",
- "fieldMappings": [
- {
- "identifier": "HostName",
- "columnName": "DeviceName"
- }
- ]
- },
- {
- "entityType": "IP",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIP"
- }
- ]
- },
- {
- "entityType": "URL",
- "fieldMappings": [
+ "identifier": "Name",
+ "columnName": "Name"
+ },
{
- "identifier": "Url",
- "columnName": "PA_Url"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
}
@@ -2081,13 +2087,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2112,41 +2118,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to PaloAlto",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "displayName": "TI map Domain entity to EmailEvents",
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
- "displayName": "TI map Domain entity to SecurityAlert",
+ "description": "Identifies a match in EmailUrlInfo table from any Domain IOC from TI.",
+ "displayName": "TI map Domain entity to EmailUrlInfo",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Lookback time for recent data, set to 1 hour\nlet ioc_lookBack = 14d; // Lookback time for threat feed data, set to 14 days\n// Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract domain patterns from message\n | extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1,1]), tolower(Entities))))\n | mv-expand domain\n | extend domain = tostring(domain[0])\n | extend parts = split(domain, '.')\n // Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities)\n | mv-apply EntitiesDynamicArray on\n (summarize\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n )\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n ) on $left.TI_DomainEntity == $right.domain\n | where Alert_TimeGenerated < ExpirationDateTime\n | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\n | extend timestamp = Alert_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailUrlInfo_ = materialize(EmailUrlInfo\n| where isnotempty(UrlDomain)\n| where TimeGenerated > ago(dt_lookBack)\n| project-rename Email_Url = Url);\nlet Domains = EmailUrlInfo_\n| distinct UrlDomain\n| summarize make_list(UrlDomain);\nlet Candidates = ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain\n| join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId\n| where DeliveryLocation !has \"Quarantine\"\n// Customize and uncomment the following line to remove security related mailboxes\n//| where tolower(RecipientEmailAddress) !in (\"secmailbox1@example.com\", \"secmailbox2@example.com\")\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress;\nlet Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated > ago(ioc_lookBack)\n| extend Host = tostring(parse_url(Url).Host)\n| where Host in (Candidate_Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, \"://\", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl\n| where DeliveryAction !has \"Blocked\"\n| project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2157,34 +2163,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "EmailUrlInfo"
+ ],
+ "connectorId": "Office365"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "MicrosoftCloudAppSecurity",
- "dataTypes": [
- "SecurityAlert"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "AzureSecurityCenter",
"dataTypes": [
- "SecurityAlert"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2192,20 +2192,15 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
- }
- ]
- },
- {
- "entityType": "IP",
- "fieldMappings": [
+ "identifier": "Name",
+ "columnName": "Name"
+ },
{
- "identifier": "Address",
- "columnName": "IP_addr"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
@@ -2224,13 +2219,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2255,41 +2250,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to SecurityAlert",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "displayName": "TI map Domain entity to EmailUrlInfo",
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in Syslog table from any Domain IOC from TI",
- "displayName": "TI map Domain entity to Syslog",
+ "description": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.",
+ "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n | join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog messages\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n // Split out the top-level domain (TLD)\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.domain\n | where Syslog_TimeGenerated < ExpirationDateTime\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n",
+ "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet DOMAIN_TI=ThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \n | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\nDOMAIN_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\n //Extract domain patterns from syslog message\n | extend domain = tostring(parse_url(Url)[\"Host\"])\n | where isnotempty(domain)\n | extend tld = tostring(split(domain, '.')[-1])\n | extend Event_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Event_TimeGenerated < ExpirationDateTime\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url \n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2300,28 +2295,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
"dataTypes": [
- "Syslog"
- ]
+ "SquidProxy_CL"
+ ],
+ "connectorId": "SquidProxy"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2329,29 +2330,16 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
- },
- {
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
]
},
{
- "entityType": "IP",
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "HostIP"
- }
- ]
- },
- {
- "entityType": "URL",
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
@@ -2359,19 +2347,32 @@
}
]
}
- ]
+ ],
+ "customDetails": {
+ "IndicatorId": "IndicatorId",
+ "IoCExpirationTime": "ExpirationDateTime",
+ "IoCDescription": "Description",
+ "ActivityGroupNames": "ActivityGroupNames",
+ "ThreatType": "ThreatType",
+ "EventTime": "Event_TimeGenerated",
+ "IoCConfidenceScore": "ConfidenceScore"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
+ "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC"
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2396,41 +2397,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Domain entity to Syslog",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
- "displayName": "TI map Email entity to AzureActivity",
+ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to PaloAlto",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\nResourceGroup, SubscriptionId\n| extend Name = tostring(split(Caller, '@', 0)[0]), UPNSuffix = tostring(split(Caller, '@', 1)[0])\n| extend timestamp = AzureActivity_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\nlet list_tlds = \n ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = \n ThreatIntelligenceIndicator\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Join with CommonSecurityLog to find potential malicious activity\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n // | where DeviceAction !~ \"block-url\"\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = coalesce(RequestURL, \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"http://\" and PA_Url !startswith \"https://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), PA_Url)\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url)\n | extend Domain = trim(@\"\"\"\", tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity == $right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n // Select the desired fields for the final result set\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\n | extend timestamp = CommonSecurityLog_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2441,28 +2442,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActivity",
"dataTypes": [
- "AzureActivity"
- ]
+ "CommonSecurityLog"
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2470,15 +2471,11 @@
],
"entityMappings": [
{
- "entityType": "Account",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "identifier": "HostName",
+ "columnName": "DeviceName"
}
]
},
@@ -2487,7 +2484,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "CallerIpAddress"
+ "columnName": "SourceIP"
}
]
},
@@ -2496,7 +2493,7 @@
"fieldMappings": [
{
"identifier": "Url",
- "columnName": "Url"
+ "columnName": "PA_Url"
}
]
}
@@ -2506,13 +2503,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2537,41 +2534,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to AzureActivity",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "displayName": "TI map Domain entity to PaloAlto",
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
- "displayName": "TI map Email entity to OfficeActivity",
+ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to SecurityAlert",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n| extend timestamp = OfficeActivity_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet SecurityAlerts = SecurityAlert\n| where TimeGenerated > ago(dt_lookBack)\n| extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1]), tolower(Entities))))\n| where isnotempty(domain)\n| mv-expand domain\n| extend domain = tostring(domain)\n| extend EntitiesDynamicArray = parse_json(Entities)\n| mv-apply EntitiesDynamicArray on\n (summarize\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n )\n| extend Alert_TimeGenerated = TimeGenerated\n| extend Alert_Description = Description;\nlet AlertDomains = SecurityAlerts\n| distinct domain\n| summarize make_list(domain);\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_DomainEntity = tolower(DomainName)\n| where TI_DomainEntity in (AlertDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nDomain_Indicators\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\n| extend timestamp = Alert_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2582,28 +2579,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Office365",
"dataTypes": [
- "OfficeActivity"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "SecurityAlert"
+ ],
+ "connectorId": "MicrosoftCloudAppSecurity"
+ },
+ {
+ "dataTypes": [
+ "SecurityAlert"
+ ],
+ "connectorId": "AzureSecurityCenter"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2611,15 +2614,11 @@
],
"entityMappings": [
{
- "entityType": "Account",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "identifier": "HostName",
+ "columnName": "HostName"
}
]
},
@@ -2628,7 +2627,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "ClientIP"
+ "columnName": "IP_addr"
}
]
},
@@ -2647,13 +2646,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2678,41 +2677,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to OfficeActivity",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "displayName": "TI map Domain entity to SecurityAlert",
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
- "displayName": "TI map Email entity to PaloAlto CommonSecurityLog",
+ "description": "Identifies a match in Syslog table from any Domain IOC from TI",
+ "displayName": "TI map Domain entity to Syslog",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n | join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog messages\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n // Split out the top-level domain (TLD)\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.domain\n | where Syslog_TimeGenerated < ExpirationDateTime\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2723,28 +2722,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "Syslog"
+ ],
+ "connectorId": "Syslog"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2752,11 +2751,15 @@
],
"entityMappings": [
{
- "entityType": "Account",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "DestinationUserID"
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
}
]
},
@@ -2765,7 +2768,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "SourceIP"
+ "columnName": "HostIP"
}
]
},
@@ -2784,13 +2787,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2815,41 +2818,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to PaloAlto CommonSecurityLog",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "displayName": "TI map Domain entity to Syslog",
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId10')]",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
- "displayName": "TI map Email entity to SecurityAlert",
+ "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
+ "displayName": "TI map Email entity to AzureActivity",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0])\n| extend timestamp = Alert_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\nResourceGroup, SubscriptionId\n| extend Name = tostring(split(Caller, '@', 0)[0]), UPNSuffix = tostring(split(Caller, '@', 1)[0])\n| extend timestamp = AzureActivity_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2860,28 +2863,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSecurityCenter",
"dataTypes": [
- "SecurityAlert"
- ]
+ "AzureActivity"
+ ],
+ "connectorId": "AzureActivity"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -2901,6 +2904,15 @@
}
]
},
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "CallerIpAddress"
+ }
+ ]
+ },
{
"entityType": "URL",
"fieldMappings": [
@@ -2916,13 +2928,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -2947,41 +2959,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to SecurityAlert",
- "contentProductId": "[variables('_analyticRulecontentProductId10')]",
- "id": "[variables('_analyticRulecontentProductId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "displayName": "TI map Email entity to AzureActivity",
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName11')]",
+ "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion11')]",
+ "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId11')]",
+ "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
- "displayName": "TI map Email entity to SecurityEvent",
+ "description": "Identifies a match in EmailEvents table from any Email IOC from TI",
+ "displayName": "TI map Email entity to EmailEvents",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n),\n(WindowsEvent\n| where TimeGenerated >= ago(dt_lookBack)\n| extend TargetUserName = tostring(EventData.TargetUserName)\n| where isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n))\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = SecurityEvent_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has \"Blocked\" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromAddress = tolower(SenderFromAddress) | extend RecipientEmailAddress = tolower(RecipientEmailAddress));\nlet SenderAddresses = EmailEvents_ | distinct SenderFromAddress | summarize make_list(SenderFromAddress);\nlet RecipientAddresses = EmailEvents_ | distinct RecipientEmailAddress | summarize make_list(RecipientEmailAddress);\nlet TI = materialize(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| where isnotempty(EmailSenderAddress)\n| extend TI_EmailAddress = tolower(EmailSenderAddress)\n| where TI_EmailAddress in (SenderAddresses) or TI_EmailAddress in (RecipientAddresses)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now());\n(union\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.SenderFromAddress),\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.RecipientEmailAddress))\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, TI_EmailAddress\n| project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_EmailAddress, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -2992,40 +3004,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "EmailEvents"
+ ],
+ "connectorId": "Office365"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- },
- {
- "connectorId": "WindowsSecurityEvents",
- "dataTypes": [
- "SecurityEvents"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
- "WindowsEvent"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -3037,38 +3037,11 @@
"fieldMappings": [
{
"identifier": "Name",
- "columnName": "TargetUserName"
- }
- ]
- },
- {
- "entityType": "Host",
- "fieldMappings": [
- {
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "Name"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
- }
- ]
- },
- {
- "entityType": "IP",
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IpAddress"
- }
- ]
- },
- {
- "entityType": "URL",
- "fieldMappings": [
- {
- "identifier": "Url",
- "columnName": "Url"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
}
@@ -3078,13 +3051,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 11",
- "parentId": "[variables('analyticRuleId11')]",
- "contentId": "[variables('_analyticRulecontentId11')]",
+ "parentId": "[variables('analyticRuleObject11').analyticRuleId11]",
+ "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion11')]",
+ "version": "[variables('analyticRuleObject11').analyticRuleVersion11]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3109,41 +3082,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId11')]",
+ "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to SecurityEvent",
- "contentProductId": "[variables('_analyticRulecontentProductId11')]",
- "id": "[variables('_analyticRulecontentProductId11')]",
- "version": "[variables('analyticRuleVersion11')]"
+ "displayName": "TI map Email entity to EmailEvents",
+ "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]",
+ "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]",
+ "version": "[variables('analyticRuleObject11').analyticRuleVersion11]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName12')]",
+ "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion12')]",
+ "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId12')]",
+ "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
- "displayName": "TI map Email entity to SigninLogs",
+ "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
+ "displayName": "TI map Email entity to OfficeActivity",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n| extend timestamp = SigninLogs_TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet OfficeEvents = materialize(\n OfficeActivity\n | where isnotempty(UserId)\n | where TimeGenerated >= ago(dt_lookBack)\n | where UserId matches regex emailregex\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\nThreatIntelligenceIndicator\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n| extend timestamp = OfficeActivity_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3154,34 +3127,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "OfficeActivity"
+ ],
+ "connectorId": "Office365"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "AzureActiveDirectory",
- "dataTypes": [
- "SigninLogs"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
- "AADNonInteractiveUserSignInLogs"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -3206,7 +3173,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "IPAddress"
+ "columnName": "ClientIP"
}
]
},
@@ -3225,13 +3192,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 12",
- "parentId": "[variables('analyticRuleId12')]",
- "contentId": "[variables('_analyticRulecontentId12')]",
+ "parentId": "[variables('analyticRuleObject12').analyticRuleId12]",
+ "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion12')]",
+ "version": "[variables('analyticRuleObject12').analyticRuleVersion12]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3256,41 +3223,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId12')]",
+ "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map Email entity to SigninLogs",
- "contentProductId": "[variables('_analyticRulecontentProductId12')]",
- "id": "[variables('_analyticRulecontentProductId12')]",
- "version": "[variables('analyticRuleVersion12')]"
+ "displayName": "TI map Email entity to OfficeActivity",
+ "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]",
+ "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]",
+ "version": "[variables('analyticRuleObject12').analyticRuleVersion12]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName13')]",
+ "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion13')]",
+ "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId13')]",
+ "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
- "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
+ "displayName": "TI map Email entity to PaloAlto CommonSecurityLog",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n| extend Name = tostring(split(SourceUserName, '@', 0)[0]), UPNSuffix = tostring(split(SourceUserName, '@', 1)[0])\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3301,28 +3268,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -3334,24 +3301,7 @@
"fieldMappings": [
{
"identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
- }
- ]
- },
- {
- "entityType": "Host",
- "fieldMappings": [
- {
- "identifier": "HostName",
- "columnName": "HostName"
- },
- {
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DestinationUserID"
}
]
},
@@ -3372,19 +3322,6 @@
"columnName": "Url"
}
]
- },
- {
- "entityType": "FileHash",
- "fieldMappings": [
- {
- "identifier": "Value",
- "columnName": "FileHashValue"
- },
- {
- "identifier": "Algorithm",
- "columnName": "FileHashType"
- }
- ]
}
]
}
@@ -3392,13 +3329,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]",
"properties": {
"description": "Threat Intelligence Analytics Rule 13",
- "parentId": "[variables('analyticRuleId13')]",
- "contentId": "[variables('_analyticRulecontentId13')]",
+ "parentId": "[variables('analyticRuleObject13').analyticRuleId13]",
+ "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion13')]",
+ "version": "[variables('analyticRuleObject13').analyticRuleVersion13]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3423,41 +3360,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId13')]",
+ "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map File Hash to CommonSecurityLog Event",
- "contentProductId": "[variables('_analyticRulecontentProductId13')]",
- "id": "[variables('_analyticRulecontentProductId13')]",
- "version": "[variables('analyticRuleVersion13')]"
+ "displayName": "TI map Email entity to PaloAlto CommonSecurityLog",
+ "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]",
+ "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]",
+ "version": "[variables('analyticRuleObject13').analyticRuleVersion13]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName14')]",
+ "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion14')]",
+ "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId14')]",
+ "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
- "displayName": "TI map File Hash to Security Event",
+ "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
+ "displayName": "TI map Email entity to SecurityAlert",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n| extend FileHashValue = toupper(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique ( union isfuzzy=true\n (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\n ),\n (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(EventData.FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\n )\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\n| extend NTDomain = tostring(split(Account, '\\\\', 0)[0]), Name = tostring(split(Account, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) \n| extend timestamp = SecurityEvent_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0])\n| extend timestamp = Alert_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3468,40 +3405,172 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
- "dataTypes": [
- "SecurityEvent"
- ]
- },
- {
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
- "SecurityEvents"
- ]
+ "SecurityAlert"
+ ],
+ "connectorId": "AzureSecurityCenter"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
- "WindowsEvent"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 14",
+ "parentId": "[variables('analyticRuleObject14').analyticRuleId14]",
+ "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject14').analyticRuleVersion14]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map Email entity to SecurityAlert",
+ "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]",
+ "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]",
+ "version": "[variables('analyticRuleObject14').analyticRuleVersion14]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
+ "displayName": "TI map Email entity to SecurityEvent",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n),\n(WindowsEvent\n| where TimeGenerated >= ago(dt_lookBack)\n| extend TargetUserName = tostring(EventData.TargetUserName)\n| where isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n))\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = SecurityEvent_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvents"
+ ],
+ "connectorId": "WindowsSecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "WindowsEvent"
+ ],
+ "connectorId": "WindowsForwardedEvents"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -3513,11 +3582,7 @@
"fieldMappings": [
{
"identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "NTDomain",
- "columnName": "NTDomain"
+ "columnName": "TargetUserName"
}
]
},
@@ -3534,6 +3599,15 @@
}
]
},
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IpAddress"
+ }
+ ]
+ },
{
"entityType": "URL",
"fieldMappings": [
@@ -3542,17 +3616,1212 @@
"columnName": "Url"
}
]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 15",
+ "parentId": "[variables('analyticRuleObject15').analyticRuleId15]",
+ "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject15').analyticRuleVersion15]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map Email entity to SecurityEvent",
+ "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]",
+ "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]",
+ "version": "[variables('analyticRuleObject15').analyticRuleVersion15]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
+ "displayName": "TI map Email entity to SigninLogs",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet Signins = materialize(union isfuzzy=true\n( SigninLogs | where TimeGenerated >= ago(dt_lookBack)),\n( AADNonInteractiveUserSignInLogs | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend SigninLogs_TimeGenerated = TimeGenerated);\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where EmailSenderAddress in (SigninUPNs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n| extend timestamp = SigninLogs_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "entityType": "FileHash",
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "SigninLogs"
+ ],
+ "connectorId": "AzureActiveDirectory"
+ },
+ {
+ "dataTypes": [
+ "AADNonInteractiveUserSignInLogs"
+ ],
+ "connectorId": "AzureActiveDirectory"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Value",
- "columnName": "FileHashValue"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "identifier": "Algorithm",
- "columnName": "FileHashType"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPAddress"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 16",
+ "parentId": "[variables('analyticRuleObject16').analyticRuleId16]",
+ "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject16').analyticRuleVersion16]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map Email entity to SigninLogs",
+ "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]",
+ "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]",
+ "version": "[variables('analyticRuleObject16').analyticRuleVersion16]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n| extend Name = tostring(split(SourceUserName, '@', 0)[0]), UPNSuffix = tostring(split(SourceUserName, '@', 1)[0])\n| extend timestamp = CommonSecurityLog_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "PaloAltoNetworks"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "SourceIP"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashValue"
+ },
+ {
+ "identifier": "Algorithm",
+ "columnName": "FileHashType"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 17",
+ "parentId": "[variables('analyticRuleObject17').analyticRuleId17]",
+ "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject17').analyticRuleVersion17]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
+ "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
+ "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI",
+ "displayName": "TI map File Hash to DeviceFileEvents Event",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceFileEvents_ = (union\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));\nlet Hashes = DeviceFileEvents_ | distinct FileHashValue;\nThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated > ago(ioc_lookBack)\n| where FileHashValue in (Hashes)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue\n| where TimeGenerated < ExpirationDateTime\n| summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, DeviceId\n| project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup\n| extend timestamp = TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "DeviceFileEvents"
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "RequestAccountName"
+ },
+ {
+ "identifier": "Sid",
+ "columnName": "RequestAccountSid"
+ },
+ {
+ "identifier": "NTDomain",
+ "columnName": "RequestAccountDomain"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashValue"
+ },
+ {
+ "identifier": "Algorithm",
+ "columnName": "FileHashType"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "DeviceName"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 18",
+ "parentId": "[variables('analyticRuleObject18').analyticRuleId18]",
+ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject18').analyticRuleVersion18]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map File Hash to DeviceFileEvents Event",
+ "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
+ "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
+ "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
+ "displayName": "TI map File Hash to Security Event",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend FileHashValue = toupper(FileHashValue)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique ( union isfuzzy=true\n (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\n ),\n (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(EventData.FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\n )\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\n| extend NTDomain = tostring(split(Account, '\\\\', 0)[0]), Name = tostring(split(Account, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) \n| extend timestamp = SecurityEvent_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvents"
+ ],
+ "connectorId": "WindowsSecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "WindowsEvent"
+ ],
+ "connectorId": "WindowsForwardedEvents"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashValue"
+ },
+ {
+ "identifier": "Algorithm",
+ "columnName": "FileHashType"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 19",
+ "parentId": "[variables('analyticRuleObject19').analyticRuleId19]",
+ "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject19').analyticRuleVersion19]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map File Hash to Security Event",
+ "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
+ "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
+ "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \n | where ConfidenceScore > 50\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Determine AlertPriority based on ConfidenceScore\n | extend AlertPriority = case(ConfidenceScore > 82, \"High\",\n ConfidenceScore > 74, \"Medium\",\n \"Low\")\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.CIp\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AppService_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n // Select the desired output fields\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n // Extract hostname and DNS domain from the CsHost field\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AppService_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "CsUsername"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "CIp"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "_ResourceId"
+ }
+ ]
+ }
+ ],
+ "alertDetailsOverride": {
+ "alertSeverityColumnName": "AlertPriority"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 20",
+ "parentId": "[variables('analyticRuleObject20').analyticRuleId20]",
+ "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject20').analyticRuleVersion20]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]",
+ "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]",
+ "version": "[variables('analyticRuleObject20').analyticRuleVersion20]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AWSCloudTrail\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.SourceIpAddress\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n // Select the desired output fields\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AWSCloudTrail_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "AWSCloudTrail"
+ ],
+ "connectorId": "AWS"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "ObjectGuid",
+ "columnName": "UserIdentityUserName"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "SourceIpAddress"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 21",
+ "parentId": "[variables('analyticRuleObject21').analyticRuleId21]",
+ "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject21').analyticRuleVersion21]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]",
+ "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]",
+ "version": "[variables('analyticRuleObject21').analyticRuleVersion21]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.",
+ "displayName": "TI Map IP Entity to AzureActivity",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "AzureActivity"
+ ],
+ "connectorId": "AzureActivity"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ },
+ {
+ "identifier": "AadUserId",
+ "columnName": "AadUserId"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "CallerIpAddress"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "ResourceId"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]",
+ "properties": {
+ "description": "Threat Intelligence Analytics Rule 22",
+ "parentId": "[variables('analyticRuleObject22').analyticRuleId22]",
+ "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject22').analyticRuleVersion22]",
+ "source": {
+ "kind": "Solution",
+ "name": "Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "TI Map IP Entity to AzureActivity",
+ "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]",
+ "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]",
+ "version": "[variables('analyticRuleObject22').analyticRuleVersion22]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
+ "displayName": "TI map IP entity to AzureFirewall",
+ "enabled": false,
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n // Select the desired output fields\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AzureFirewall_TimeGenerated\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "AzureDiagnostics"
+ ],
+ "connectorId": "AzureFirewall"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "TI_ipEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
}
]
}
@@ -3562,13 +4831,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 14",
- "parentId": "[variables('analyticRuleId14')]",
- "contentId": "[variables('_analyticRulecontentId14')]",
+ "description": "Threat Intelligence Analytics Rule 23",
+ "parentId": "[variables('analyticRuleObject23').analyticRuleId23]",
+ "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion14')]",
+ "version": "[variables('analyticRuleObject23').analyticRuleVersion23]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3593,41 +4862,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId14')]",
+ "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map File Hash to Security Event",
- "contentProductId": "[variables('_analyticRulecontentProductId14')]",
- "id": "[variables('_analyticRulecontentProductId14')]",
- "version": "[variables('analyticRuleVersion14')]"
+ "displayName": "TI map IP entity to AzureFirewall",
+ "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]",
+ "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]",
+ "version": "[variables('analyticRuleObject23').analyticRuleVersion23]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName15')]",
+ "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion15')]",
+ "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId15')]",
+ "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
- "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "description": "Identifies a match in Azure Key Vault logs from any IP IOC from TI",
+ "displayName": "TI map IP entity to Azure Key Vault logs",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.CIp\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AppService_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n // Select the desired output fields\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n // Extract hostname and DNS domain from the CsHost field\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AppService_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n // Rename the timestamp field\n | extend timestamp = KeyVaultEvents_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3638,65 +4907,40 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "KeyVaultData"
+ ],
+ "connectorId": "AzureKeyVault"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
- {
- "entityType": "Host",
- "fieldMappings": [
- {
- "identifier": "HostName",
- "columnName": "HostName"
- },
- {
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
- }
- ]
- },
- {
- "entityType": "Account",
- "fieldMappings": [
- {
- "identifier": "Name",
- "columnName": "CsUsername"
- }
- ]
- },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "CIp"
- }
- ]
- },
- {
- "entityType": "URL",
- "fieldMappings": [
- {
- "identifier": "Url",
- "columnName": "Url"
+ "columnName": "ClientIP"
}
]
},
@@ -3705,7 +4949,7 @@
"fieldMappings": [
{
"identifier": "ResourceId",
- "columnName": "_ResourceId"
+ "columnName": "ResourceId"
}
]
}
@@ -3715,13 +4959,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 15",
- "parentId": "[variables('analyticRuleId15')]",
- "contentId": "[variables('_analyticRulecontentId15')]",
+ "description": "Threat Intelligence Analytics Rule 24",
+ "parentId": "[variables('analyticRuleObject24').analyticRuleId24]",
+ "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion15')]",
+ "version": "[variables('analyticRuleObject24').analyticRuleVersion24]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3746,41 +4990,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId15')]",
+ "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to AppServiceHTTPLogs",
- "contentProductId": "[variables('_analyticRulecontentProductId15')]",
- "id": "[variables('_analyticRulecontentProductId15')]",
- "version": "[variables('analyticRuleVersion15')]"
+ "displayName": "TI map IP entity to Azure Key Vault logs",
+ "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]",
+ "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]",
+ "version": "[variables('analyticRuleObject24').analyticRuleVersion24]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName16')]",
+ "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion16')]",
+ "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId16')]",
+ "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
- "displayName": "TI map IP entity to AWSCloudTrail",
+ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AWSCloudTrail\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.SourceIpAddress\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n // Select the desired output fields\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AWSCloudTrail_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n )\n on $left.TI_ipEntity == $right.PIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \"A\")\n | where FlowStatus_s == \"A\"\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n // Select the desired output fields\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3791,28 +5035,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "AWS",
- "dataTypes": [
- "AWSCloudTrail"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -3820,11 +5058,15 @@
],
"entityMappings": [
{
- "entityType": "Account",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "ObjectGuid",
- "columnName": "UserIdentityUserName"
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
}
]
},
@@ -3833,7 +5075,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "SourceIpAddress"
+ "columnName": "TI_ipEntity"
}
]
},
@@ -3852,13 +5094,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 16",
- "parentId": "[variables('analyticRuleId16')]",
- "contentId": "[variables('_analyticRulecontentId16')]",
+ "description": "Threat Intelligence Analytics Rule 25",
+ "parentId": "[variables('analyticRuleObject25').analyticRuleId25]",
+ "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion16')]",
+ "version": "[variables('analyticRuleObject25').analyticRuleVersion25]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -3883,41 +5125,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId16')]",
+ "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to AWSCloudTrail",
- "contentProductId": "[variables('_analyticRulecontentProductId16')]",
- "id": "[variables('_analyticRulecontentProductId16')]",
- "version": "[variables('analyticRuleVersion16')]"
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]",
+ "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]",
+ "version": "[variables('analyticRuleObject25').analyticRuleVersion25]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName17')]",
+ "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion17')]",
+ "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId17')]",
+ "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.",
- "displayName": "TI Map IP Entity to AzureActivity",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.",
+ "displayName": "TI Map IP Entity to Azure SQL Security Audit Events",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\")\n | extend Action = column_ifexists(\"action_name_s\", \"Not Available\")\n | extend Application = column_ifexists(\"application_name_s\", \"Not Available\")\n | extend HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -3928,75 +5170,40 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "AzureActivity",
"dataTypes": [
- "AzureActivity"
- ]
+ "AzureDiagnostics"
+ ],
+ "connectorId": "AzureSql"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
- {
- "entityType": "Account",
- "fieldMappings": [
- {
- "identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
- },
- {
- "identifier": "AadUserId",
- "columnName": "AadUserId"
- }
- ]
- },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "CallerIpAddress"
- }
- ]
- },
- {
- "entityType": "URL",
- "fieldMappings": [
- {
- "identifier": "Url",
- "columnName": "Url"
- }
- ]
- },
- {
- "entityType": "AzureResource",
- "fieldMappings": [
- {
- "identifier": "ResourceId",
- "columnName": "ResourceId"
+ "columnName": "ClientIP"
}
]
}
@@ -4006,13 +5213,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 17",
- "parentId": "[variables('analyticRuleId17')]",
- "contentId": "[variables('_analyticRulecontentId17')]",
+ "description": "Threat Intelligence Analytics Rule 26",
+ "parentId": "[variables('analyticRuleObject26').analyticRuleId26]",
+ "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion17')]",
+ "version": "[variables('analyticRuleObject26').analyticRuleVersion26]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4037,41 +5244,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId17')]",
+ "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to AzureActivity",
- "contentProductId": "[variables('_analyticRulecontentProductId17')]",
- "id": "[variables('_analyticRulecontentProductId17')]",
- "version": "[variables('analyticRuleVersion17')]"
+ "displayName": "TI Map IP Entity to Azure SQL Security Audit Events",
+ "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]",
+ "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]",
+ "version": "[variables('analyticRuleObject26').analyticRuleVersion26]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName18')]",
+ "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion18')]",
+ "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId18')]",
+ "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
- "displayName": "TI map IP entity to AzureFirewall",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.",
+ "displayName": "TI Map IP Entity to CommonSecurityLog",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n // Select the desired output fields\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AzureFirewall_TimeGenerated\n",
+ "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4082,28 +5289,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
- "AzureDiagnostics"
- ]
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CEF"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -4115,16 +5322,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "TI_ipEntity"
- }
- ]
- },
- {
- "entityType": "URL",
- "fieldMappings": [
- {
- "identifier": "Url",
- "columnName": "Url"
+ "columnName": "CS_ipEntity"
}
]
}
@@ -4134,13 +5332,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 18",
- "parentId": "[variables('analyticRuleId18')]",
- "contentId": "[variables('_analyticRulecontentId18')]",
+ "description": "Threat Intelligence Analytics Rule 27",
+ "parentId": "[variables('analyticRuleObject27').analyticRuleId27]",
+ "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion18')]",
+ "version": "[variables('analyticRuleObject27').analyticRuleVersion27]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4165,41 +5363,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId18')]",
+ "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to AzureFirewall",
- "contentProductId": "[variables('_analyticRulecontentProductId18')]",
- "id": "[variables('_analyticRulecontentProductId18')]",
- "version": "[variables('analyticRuleVersion18')]"
+ "displayName": "TI Map IP Entity to CommonSecurityLog",
+ "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]",
+ "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]",
+ "version": "[variables('analyticRuleObject27').analyticRuleVersion27]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName19')]",
+ "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion19')]",
+ "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId19')]",
+ "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in Azure Key Vault logs from any IP IOC from TI",
- "displayName": "TI map IP entity to Azure Key Vault logs",
+ "description": "Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.",
+ "displayName": "TI Map IP Entity to DeviceNetworkEvents",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where LatestIndicatorTime >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n // Rename the timestamp field\n | extend timestamp = KeyVaultEvents_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where TimeGenerated > ago(dt_lookBack)\n| where ActionType !has \"ConnectionFailed\"\n| extend isPrivate = ipv4_is_private(RemoteIP)\n| where isPrivate != true;\nlet IPs = DeviceNetworkEvents_ | distinct RemoteIP | summarize make_list(RemoteIP);\nThreatIntelligenceIndicator\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\n| where TI_ipEntity in (IPs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.TI_ipEntity == $right.RemoteIP\n| summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, TI_ipEntity, DeviceName\n// DeviceName, TI_ipEntity, RemoteUrl, InitiatingProcessAccountUpn\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4210,49 +5408,71 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "DeviceNetworkEvents"
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "AzureKeyVault",
"dataTypes": [
- "KeyVaultData"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ }
+ ]
+ },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "ClientIP"
+ "columnName": "TI_ipEntity"
}
]
},
{
- "entityType": "AzureResource",
+ "entityType": "URL",
"fieldMappings": [
{
- "identifier": "ResourceId",
- "columnName": "ResourceId"
+ "identifier": "Url",
+ "columnName": "RemoteUrl"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "DeviceName"
}
]
}
@@ -4262,13 +5482,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 19",
- "parentId": "[variables('analyticRuleId19')]",
- "contentId": "[variables('_analyticRulecontentId19')]",
+ "description": "Threat Intelligence Analytics Rule 28",
+ "parentId": "[variables('analyticRuleObject28').analyticRuleId28]",
+ "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion19')]",
+ "version": "[variables('analyticRuleObject28').analyticRuleVersion28]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4293,41 +5513,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId19')]",
+ "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to Azure Key Vault logs",
- "contentProductId": "[variables('_analyticRulecontentProductId19')]",
- "id": "[variables('_analyticRulecontentProductId19')]",
- "version": "[variables('analyticRuleVersion19')]"
+ "displayName": "TI Map IP Entity to DeviceNetworkEvents",
+ "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]",
+ "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]",
+ "version": "[variables('analyticRuleObject28').analyticRuleVersion28]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName20')]",
+ "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion20')]",
+ "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId20')]",
+ "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
- "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.",
+ "displayName": "TI Map IP Entity to DnsEvents",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n )\n on $left.TI_ipEntity == $right.PIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \"A\")\n | where FlowStatus_s == \"A\"\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n // Select the desired output fields\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4338,22 +5558,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "DnsEvents"
+ ],
+ "connectorId": "DNS"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -4378,7 +5604,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "TI_ipEntity"
+ "columnName": "ClientIP"
}
]
},
@@ -4397,13 +5623,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 20",
- "parentId": "[variables('analyticRuleId20')]",
- "contentId": "[variables('_analyticRulecontentId20')]",
+ "description": "Threat Intelligence Analytics Rule 29",
+ "parentId": "[variables('analyticRuleObject29').analyticRuleId29]",
+ "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion20')]",
+ "version": "[variables('analyticRuleObject29').analyticRuleVersion29]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4428,41 +5654,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId20')]",
+ "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
- "contentProductId": "[variables('_analyticRulecontentProductId20')]",
- "id": "[variables('_analyticRulecontentProductId20')]",
- "version": "[variables('analyticRuleVersion20')]"
+ "displayName": "TI Map IP Entity to DnsEvents",
+ "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]",
+ "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]",
+ "version": "[variables('analyticRuleObject29').analyticRuleVersion29]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName21')]",
+ "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion21')]",
+ "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId21')]",
+ "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.",
- "displayName": "TI Map IP Entity to Azure SQL Security Audit Events",
+ "description": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.",
+ "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\")\n | extend Action = column_ifexists(\"action_name_s\", \"Not Available\")\n | extend Application = column_ifexists(\"application_name_s\", \"Not Available\")\n | extend HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
+ "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n // Taking the first non-empty value based on potential IOC match availability\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \"NO_IP\")\n // Picking up only IOC's that contain the entities we want\n | where TI_ipEntity != \"NO_IP\"\n // Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet IP_TI_list = toscalar(IP_TI\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind = innerunique (\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4473,28 +5699,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "SquidProxy_CL"
+ ],
+ "connectorId": "SquidProxy"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "AzureSql",
"dataTypes": [
- "AzureDiagnostics"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -4506,23 +5738,36 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "ClientIP"
+ "columnName": "DstIpAddr"
}
]
}
- ]
+ ],
+ "customDetails": {
+ "IndicatorId": "IndicatorId",
+ "IoCExpirationTime": "ExpirationDateTime",
+ "IoCDescription": "Description",
+ "ActivityGroupNames": "ActivityGroupNames",
+ "ThreatType": "ThreatType",
+ "EventTime": "imNWS_TimeGenerated",
+ "IoCConfidenceScore": "ConfidenceScore"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.",
+ "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC"
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 21",
- "parentId": "[variables('analyticRuleId21')]",
- "contentId": "[variables('_analyticRulecontentId21')]",
+ "description": "Threat Intelligence Analytics Rule 30",
+ "parentId": "[variables('analyticRuleObject30').analyticRuleId30]",
+ "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion21')]",
+ "version": "[variables('analyticRuleObject30').analyticRuleVersion30]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4547,41 +5792,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId21')]",
+ "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to Azure SQL Security Audit Events",
- "contentProductId": "[variables('_analyticRulecontentProductId21')]",
- "id": "[variables('_analyticRulecontentProductId21')]",
- "version": "[variables('analyticRuleVersion21')]"
+ "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
+ "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]",
+ "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]",
+ "version": "[variables('analyticRuleObject30').analyticRuleVersion30]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName22')]",
+ "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion22')]",
+ "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId22')]",
+ "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.",
- "displayName": "TI Map IP Entity to CommonSecurityLog",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.",
+ "displayName": "TI map IP entity to OfficeActivity",
"enabled": false,
- "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nlet OfficeActivity_ = materialize(OfficeActivity\n | where isnotempty(ClientIP)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\n | where TI_ipEntity in (ActivityIPs)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nIP_Indicators\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n| join kind=innerunique (OfficeActivity_)\n on $left.TI_ipEntity == $right.IPAddress\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n// Select the desired output fields\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4592,40 +5837,62 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "CEF",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "OfficeActivity"
+ ],
+ "connectorId": "Office365"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "Name"
+ },
+ {
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
+ }
+ ]
+ },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "CS_ipEntity"
+ "columnName": "TI_ipEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
}
]
}
@@ -4635,13 +5902,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 22",
- "parentId": "[variables('analyticRuleId22')]",
- "contentId": "[variables('_analyticRulecontentId22')]",
+ "description": "Threat Intelligence Analytics Rule 31",
+ "parentId": "[variables('analyticRuleObject31').analyticRuleId31]",
+ "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion22')]",
+ "version": "[variables('analyticRuleObject31').analyticRuleVersion31]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4666,41 +5933,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId22')]",
+ "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to CommonSecurityLog",
- "contentProductId": "[variables('_analyticRulecontentProductId22')]",
- "id": "[variables('_analyticRulecontentProductId22')]",
- "version": "[variables('analyticRuleVersion22')]"
+ "displayName": "TI map IP entity to OfficeActivity",
+ "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]",
+ "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]",
+ "version": "[variables('analyticRuleObject31').analyticRuleVersion31]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName23')]",
+ "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion23')]",
+ "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId23')]",
+ "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.",
- "displayName": "TI Map IP Entity to DnsEvents",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.",
+ "displayName": "TI Map IP Entity to SigninLogs",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet Signins = materialize(union isfuzzy=true\n (SigninLogs\n | where TimeGenerated >= ago(dt_lookBack)),\n (AADNonInteractiveUserSignInLogs\n | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\nlet SigninIPs = Signins | summarize make_list(IPAddress);\nlet TI = materialize(ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\n | where TI_ipEntity in (SigninIPs)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nTI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4711,28 +5978,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "DNS",
"dataTypes": [
- "DnsEvents"
- ]
+ "SigninLogs"
+ ],
+ "connectorId": "AzureActiveDirectory"
+ },
+ {
+ "dataTypes": [
+ "AADNonInteractiveUserSignInLogs"
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -4740,15 +6013,15 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
@@ -4757,7 +6030,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "ClientIP"
+ "columnName": "IPAddress"
}
]
},
@@ -4776,13 +6049,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 23",
- "parentId": "[variables('analyticRuleId23')]",
- "contentId": "[variables('_analyticRulecontentId23')]",
+ "description": "Threat Intelligence Analytics Rule 32",
+ "parentId": "[variables('analyticRuleObject32').analyticRuleId32]",
+ "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion23')]",
+ "version": "[variables('analyticRuleObject32').analyticRuleVersion32]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4807,41 +6080,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId23')]",
+ "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to DnsEvents",
- "contentProductId": "[variables('_analyticRulecontentProductId23')]",
- "id": "[variables('_analyticRulecontentProductId23')]",
- "version": "[variables('analyticRuleVersion23')]"
+ "displayName": "TI Map IP Entity to SigninLogs",
+ "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]",
+ "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]",
+ "version": "[variables('analyticRuleObject32').analyticRuleVersion32]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName24')]",
+ "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion24')]",
+ "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId24')]",
+ "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies Web Sessions for which the source IP address is a known IoC.
This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.",
- "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.",
+ "displayName": "TI Map IP Entity to VMConnection",
"enabled": false,
- "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n // Taking the first non-empty value based on potential IOC match availability\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \"NO_IP\")\n // Picking up only IOC's that contain the entities we want\n | where TI_ipEntity != \"NO_IP\"\n // Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\nlet IP_TI_list = toscalar(IP_TI\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind = innerunique (\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and VMConnection events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n | extend VMConnection_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIp\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\n | where VMConnection_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n // Select the desired output fields\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4852,75 +6125,78 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SquidProxy",
- "dataTypes": [
- "SquidProxy_CL"
- ]
- },
- {
- "connectorId": "Zscaler",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "VMConnection"
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "HostName"
+ },
+ {
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
+ }
+ ]
+ },
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "DstIpAddr"
+ "columnName": "RemoteIp"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "Url"
}
]
}
- ],
- "customDetails": {
- "IoCExpirationTime": "ExpirationDateTime",
- "IndicatorId": "IndicatorId",
- "IoCConfidenceScore": "ConfidenceScore",
- "IoCDescription": "Description",
- "EventTime": "imNWS_TimeGenerated",
- "ThreatType": "ThreatType",
- "ActivityGroupNames": "ActivityGroupNames"
- },
- "alertDetailsOverride": {
- "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC",
- "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator."
- }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 24",
- "parentId": "[variables('analyticRuleId24')]",
- "contentId": "[variables('_analyticRulecontentId24')]",
+ "description": "Threat Intelligence Analytics Rule 33",
+ "parentId": "[variables('analyticRuleObject33').analyticRuleId33]",
+ "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion24')]",
+ "version": "[variables('analyticRuleObject33').analyticRuleVersion33]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -4945,41 +6221,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId24')]",
+ "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)",
- "contentProductId": "[variables('_analyticRulecontentProductId24')]",
- "id": "[variables('_analyticRulecontentProductId24')]",
- "version": "[variables('analyticRuleVersion24')]"
+ "displayName": "TI Map IP Entity to VMConnection",
+ "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]",
+ "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]",
+ "version": "[variables('analyticRuleObject33').analyticRuleVersion33]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName25')]",
+ "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion25')]",
+ "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId25')]",
+ "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.",
- "displayName": "TI map IP entity to OfficeActivity",
+ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.",
+ "displayName": "TI Map IP Entity to W3CIISLog",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and OfficeActivity events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIP)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.IPAddress\n // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\n | where OfficeActivity_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\n | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n // Select the desired output fields\n | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and W3CIISLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.cIP\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n // Select the desired output fields\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -4990,28 +6266,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "Office365",
"dataTypes": [
- "OfficeActivity"
- ]
+ "W3CIISLog"
+ ],
+ "connectorId": "AzureMonitor(IIS)"
}
],
"tactics": [
@@ -5023,11 +6299,16 @@
"fieldMappings": [
{
"identifier": "Name",
- "columnName": "Name"
- },
+ "columnName": "csUserName"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "identifier": "HostName",
+ "columnName": "Computer"
}
]
},
@@ -5036,7 +6317,7 @@
"fieldMappings": [
{
"identifier": "Address",
- "columnName": "TI_ipEntity"
+ "columnName": "cIP"
}
]
},
@@ -5055,13 +6336,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 25",
- "parentId": "[variables('analyticRuleId25')]",
- "contentId": "[variables('_analyticRulecontentId25')]",
+ "description": "Threat Intelligence Analytics Rule 34",
+ "parentId": "[variables('analyticRuleObject34').analyticRuleId34]",
+ "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion25')]",
+ "version": "[variables('analyticRuleObject34').analyticRuleVersion34]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5086,41 +6367,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId25')]",
+ "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
"contentKind": "AnalyticsRule",
- "displayName": "TI map IP entity to OfficeActivity",
- "contentProductId": "[variables('_analyticRulecontentProductId25')]",
- "id": "[variables('_analyticRulecontentProductId25')]",
- "version": "[variables('analyticRuleVersion25')]"
+ "displayName": "TI Map IP Entity to W3CIISLog",
+ "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]",
+ "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]",
+ "version": "[variables('analyticRuleObject34').analyticRuleVersion34]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName26')]",
+ "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion26')]",
+ "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId26')]",
+ "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.",
- "displayName": "TI Map IP Entity to SigninLogs",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.",
+ "displayName": "TI Map URL Entity to AuditLogs",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet AuditEvents = materialize(AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated);\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where tolower(Url) in (AuditUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (AuditEvents) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5131,34 +6412,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "AuditLogs"
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "AzureActiveDirectory",
- "dataTypes": [
- "SigninLogs"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
- "AADNonInteractiveUserSignInLogs"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -5169,21 +6444,17 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
- },
- {
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
]
},
{
- "entityType": "IP",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPAddress"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
},
@@ -5192,7 +6463,7 @@
"fieldMappings": [
{
"identifier": "Url",
- "columnName": "Url"
+ "columnName": "URLCustomEntity"
}
]
}
@@ -5202,13 +6473,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 26",
- "parentId": "[variables('analyticRuleId26')]",
- "contentId": "[variables('_analyticRulecontentId26')]",
+ "description": "Threat Intelligence Analytics Rule 35",
+ "parentId": "[variables('analyticRuleObject35').analyticRuleId35]",
+ "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion26')]",
+ "version": "[variables('analyticRuleObject35').analyticRuleVersion35]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5233,41 +6504,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId26')]",
+ "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to SigninLogs",
- "contentProductId": "[variables('_analyticRulecontentProductId26')]",
- "id": "[variables('_analyticRulecontentProductId26')]",
- "version": "[variables('analyticRuleVersion26')]"
+ "displayName": "TI Map URL Entity to AuditLogs",
+ "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]",
+ "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]",
+ "version": "[variables('analyticRuleObject35').analyticRuleVersion35]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName27')]",
+ "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion27')]",
+ "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId27')]",
+ "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.",
- "displayName": "TI Map IP Entity to VMConnection",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.",
+ "displayName": "TI Map URL Entity to AuditLogs",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and VMConnection events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n | extend VMConnection_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIp\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\n | where VMConnection_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n // Select the desired output fields\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n | where isnotempty(RemoteUrl)\n | where TimeGenerated >= ago(dt_lookBack)\n | where ActionType !has \"ConnectionFailed\"\n | extend RemoteUrl = tolower(RemoteUrl)\n | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;\nlet DeviceNetworkEventUrls = DeviceNetworkEvents_\n | distinct Url = RemoteUrl\n | summarize make_list(Url);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend Url = tolower(Url)\n| where Url in (DeviceNetworkEventUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.Url == $right.RemoteUrl\n| where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime\n| summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, Url\n| project DeviceNetworkEvents_TimeGenerated, IndicatorId, Url, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort\n| extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n| extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5278,28 +6549,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "DeviceNetworkEvents"
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
- "VMConnection"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -5307,24 +6578,24 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
{
- "entityType": "IP",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "RemoteIp"
+ "identifier": "FullName",
+ "columnName": "DeviceName"
}
]
},
@@ -5336,6 +6607,15 @@
"columnName": "Url"
}
]
+ },
+ {
+ "entityType": "Process",
+ "fieldMappings": [
+ {
+ "identifier": "CommandLine",
+ "columnName": "InitiatingProcessCommandLine"
+ }
+ ]
}
]
}
@@ -5343,13 +6623,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 27",
- "parentId": "[variables('analyticRuleId27')]",
- "contentId": "[variables('_analyticRulecontentId27')]",
+ "description": "Threat Intelligence Analytics Rule 36",
+ "parentId": "[variables('analyticRuleObject36').analyticRuleId36]",
+ "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion27')]",
+ "version": "[variables('analyticRuleObject36').analyticRuleVersion36]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5374,41 +6654,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId27')]",
+ "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to VMConnection",
- "contentProductId": "[variables('_analyticRulecontentProductId27')]",
- "id": "[variables('_analyticRulecontentProductId27')]",
- "version": "[variables('analyticRuleVersion27')]"
+ "displayName": "TI Map URL Entity to AuditLogs",
+ "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]",
+ "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]",
+ "version": "[variables('analyticRuleObject36').analyticRuleVersion36]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName28')]",
+ "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion28')]",
+ "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId28')]",
+ "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.",
- "displayName": "TI Map IP Entity to W3CIISLog",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.",
+ "displayName": "TI Map URL Entity to EmailUrlInfo",
"enabled": false,
- "query": "let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and W3CIISLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.cIP\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n // Select the desired output fields\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailUrlInfo_ = materialize(EmailUrlInfo\n | where isnotempty(Url)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend Url = tolower(Url)\n | extend EmailUrlInfo_TimeGenerated = TimeGenerated);\nlet EmailUrls = EmailUrlInfo_ | distinct Url | summarize make_list(Url);\nlet EmailUrlDomains = EmailUrlInfo_ | distinct UrlDomain | summarize make_list(UrlDomain);\nlet EmailEvents_ = materialize(EmailEvents\n | where TimeGenerated >= ago(dt_lookBack));\nlet TI = materialize(ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | where (isnotempty(Url) or isnotempty(DomainName)) \n | where tolower(Url) in (EmailUrls) or tolower(DomainName) in (EmailUrlDomains)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now());\n(union\n (TI | join kind=innerunique (EmailUrlInfo_) on Url),\n (TI | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain))\n| where EmailUrlInfo_TimeGenerated < ExpirationDateTime\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlDomain, UrlLocation, NetworkMessageId\n| extend timestamp = EmailUrlInfo_TimeGenerated\n| join kind=inner (EmailEvents_) on NetworkMessageId\n| where DeliveryAction !has \"Blocked\"\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5419,28 +6699,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
- "ThreatIntelligenceIndicator"
- ]
+ "EmailUrlInfo"
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "AzureMonitor(IIS)",
"dataTypes": [
- "W3CIISLog"
- ]
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -5452,25 +6732,11 @@
"fieldMappings": [
{
"identifier": "Name",
- "columnName": "csUserName"
- }
- ]
- },
- {
- "entityType": "Host",
- "fieldMappings": [
- {
- "identifier": "HostName",
- "columnName": "Computer"
- }
- ]
- },
- {
- "entityType": "IP",
- "fieldMappings": [
+ "columnName": "Name"
+ },
{
- "identifier": "Address",
- "columnName": "cIP"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
@@ -5489,13 +6755,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 28",
- "parentId": "[variables('analyticRuleId28')]",
- "contentId": "[variables('_analyticRulecontentId28')]",
+ "description": "Threat Intelligence Analytics Rule 37",
+ "parentId": "[variables('analyticRuleObject37').analyticRuleId37]",
+ "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion28')]",
+ "version": "[variables('analyticRuleObject37').analyticRuleVersion37]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5520,41 +6786,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId28')]",
+ "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map IP Entity to W3CIISLog",
- "contentProductId": "[variables('_analyticRulecontentProductId28')]",
- "id": "[variables('_analyticRulecontentProductId28')]",
- "version": "[variables('analyticRuleVersion28')]"
+ "displayName": "TI Map URL Entity to EmailUrlInfo",
+ "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]",
+ "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]",
+ "version": "[variables('analyticRuleObject37').analyticRuleVersion37]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName29')]",
+ "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion29')]",
+ "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId29')]",
+ "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.",
- "displayName": "TI Map URL Entity to AuditLogs",
+ "description": "This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.",
+ "displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
+ "query": "let dt_lookBack = 1h;\n// let ioc_lookBack = 14d;\n// ThreatIntelligenceIndicator\n// // Picking up only IOC's that contain the entities we want\n// | where isnotempty(Url)\n// | where TimeGenerated >= ago(ioc_lookBack)\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n// | where Active == true and ExpirationDateTime > now()\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n// | join kind=innerunique (\n// OfficeActivity\n// | where TimeGenerated >= ago(dt_lookBack)\n// //Extract the Url from a number of potential fields\n// | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n// | where isnotempty(Url)\n// // Ensure we get a clean URL\n// | extend Url = tostring(split(Url, ';')[0])\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\n// // Project a single user identity that we can use for entity mapping\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n// ) on Url\n// | where OfficeActivity_TimeGenerated < ExpirationDateTime\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\n// UserType, OfficeWorkload, Parameters, Url, User\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\ndatatable() []\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5565,28 +6831,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
- "AuditLogs"
- ]
+ "OfficeActivity"
+ ],
+ "connectorId": "Office365"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
}
],
"tactics": [
@@ -5597,17 +6863,12 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
- }
- ]
- },
- {
- "entityType": "Host",
- "fieldMappings": [
+ "identifier": "Name",
+ "columnName": "Name"
+ },
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
@@ -5616,7 +6877,7 @@
"fieldMappings": [
{
"identifier": "Url",
- "columnName": "URLCustomEntity"
+ "columnName": "Url"
}
]
}
@@ -5626,13 +6887,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 29",
- "parentId": "[variables('analyticRuleId29')]",
- "contentId": "[variables('_analyticRulecontentId29')]",
+ "description": "Threat Intelligence Analytics Rule 38",
+ "parentId": "[variables('analyticRuleObject38').analyticRuleId38]",
+ "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion29')]",
+ "version": "[variables('analyticRuleObject38').analyticRuleVersion38]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5657,41 +6918,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId29')]",
+ "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map URL Entity to AuditLogs",
- "contentProductId": "[variables('_analyticRulecontentProductId29')]",
- "id": "[variables('_analyticRulecontentProductId29')]",
- "version": "[variables('analyticRuleVersion29')]"
+ "displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]",
+ "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]",
+ "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]",
+ "version": "[variables('analyticRuleObject38').analyticRuleVersion38]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName30')]",
+ "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion30')]",
+ "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId30')]",
+ "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.",
- "displayName": "TI Map URL Entity to OfficeActivity Data",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.",
+ "displayName": "TI Map URL Entity to PaloAlto Data",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5702,22 +6963,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Office365",
"dataTypes": [
- "OfficeActivity"
- ]
+ "CommonSecurityLog"
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -5725,15 +6992,20 @@
],
"entityMappings": [
{
- "entityType": "Account",
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
- },
+ "identifier": "HostName",
+ "columnName": "DeviceName"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "identifier": "Address",
+ "columnName": "SourceIP"
}
]
},
@@ -5742,7 +7014,7 @@
"fieldMappings": [
{
"identifier": "Url",
- "columnName": "Url"
+ "columnName": "PA_Url"
}
]
}
@@ -5752,13 +7024,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 30",
- "parentId": "[variables('analyticRuleId30')]",
- "contentId": "[variables('_analyticRulecontentId30')]",
+ "description": "Threat Intelligence Analytics Rule 39",
+ "parentId": "[variables('analyticRuleObject39').analyticRuleId39]",
+ "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion30')]",
+ "version": "[variables('analyticRuleObject39').analyticRuleVersion39]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5783,41 +7055,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId30')]",
+ "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map URL Entity to OfficeActivity Data",
- "contentProductId": "[variables('_analyticRulecontentProductId30')]",
- "id": "[variables('_analyticRulecontentProductId30')]",
- "version": "[variables('analyticRuleVersion30')]"
+ "displayName": "TI Map URL Entity to PaloAlto Data",
+ "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]",
+ "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]",
+ "version": "[variables('analyticRuleObject39').analyticRuleVersion39]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName31')]",
+ "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion31')]",
+ "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId31')]",
+ "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.",
- "displayName": "TI Map URL Entity to PaloAlto Data",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.",
+ "displayName": "TI Map URL Entity to SecurityAlert Data",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet URLRegex = \"((https?|ftp|ldap|wss?|file):\\\\/\\\\/(([\\\\:\\\\%\\\\w\\\\_\\\\-]+(\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\-]+\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{0,3})[.,:\\\\w@?^=%&\\\\/~+#-]*[\\\\w@?^=%&\\\\/~+#-])\";\nlet SecurityEvents = materialize(SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | mv-expand parse_json(Entities)\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\n | extend Url = coalesce(Entities.Url, Entities.Urls)\n | mv-expand Url\n | extend Url = tolower(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated);\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend Url = tolower(Url)\n| where tolower(Url) in (EventUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\" \n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (SecurityEvents) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5828,28 +7100,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
- "CommonSecurityLog"
- ]
+ "SecurityAlert"
+ ],
+ "connectorId": "MicrosoftCloudAppSecurity"
+ },
+ {
+ "dataTypes": [
+ "SecurityAlert"
+ ],
+ "connectorId": "AzureSecurityCenter"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -5861,16 +7139,7 @@
"fieldMappings": [
{
"identifier": "HostName",
- "columnName": "DeviceName"
- }
- ]
- },
- {
- "entityType": "IP",
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "SourceIP"
+ "columnName": "Compromised_Host"
}
]
},
@@ -5879,7 +7148,7 @@
"fieldMappings": [
{
"identifier": "Url",
- "columnName": "PA_Url"
+ "columnName": "Url"
}
]
}
@@ -5889,13 +7158,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 31",
- "parentId": "[variables('analyticRuleId31')]",
- "contentId": "[variables('_analyticRulecontentId31')]",
+ "description": "Threat Intelligence Analytics Rule 40",
+ "parentId": "[variables('analyticRuleObject40').analyticRuleId40]",
+ "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion31')]",
+ "version": "[variables('analyticRuleObject40').analyticRuleVersion40]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -5920,41 +7189,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId31')]",
+ "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map URL Entity to PaloAlto Data",
- "contentProductId": "[variables('_analyticRulecontentProductId31')]",
- "id": "[variables('_analyticRulecontentProductId31')]",
- "version": "[variables('analyticRuleVersion31')]"
+ "displayName": "TI Map URL Entity to SecurityAlert Data",
+ "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]",
+ "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]",
+ "version": "[variables('analyticRuleObject40').analyticRuleVersion40]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName32')]",
+ "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion32')]",
+ "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId32')]",
+ "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.",
- "displayName": "TI Map URL Entity to SecurityAlert Data",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.",
+ "displayName": "TI Map URL Entity to Syslog Data",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet URLRegex = \"((https?|ftp|ldap|wss?|file):\\\\/\\\\/(([\\\\:\\\\%\\\\w\\\\_\\\\-]+(\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\-]+\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{0,3})[.,:\\\\w@?^=%&\\\\/~+#-]*[\\\\w@?^=%&\\\\/~+#-])\";\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nSecurityAlert\n| where TimeGenerated >= ago(dt_lookBack)\n| extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n| where MSTI == false\n// Extract URL from JSON data\n| extend Url = todynamic(dynamic_to_json(extract_all(URLRegex, dynamic([1]), Entities))) \n| mv-expand Url\n| extend Url = tostring(Url[0])\n// We only want alerts that actually contain URL data\n| where isnotempty(Url)\n// Extract hostname from JSON data for entity mapping\n| extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n| extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -5965,34 +7234,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftCloudAppSecurity",
- "dataTypes": [
- "SecurityAlert"
- ]
- },
- {
- "connectorId": "AzureSecurityCenter",
"dataTypes": [
- "SecurityAlert"
- ]
+ "Syslog"
+ ],
+ "connectorId": "Syslog"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -6004,7 +7267,16 @@
"fieldMappings": [
{
"identifier": "HostName",
- "columnName": "Compromised_Host"
+ "columnName": "Computer"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "HostIP"
}
]
},
@@ -6023,13 +7295,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 32",
- "parentId": "[variables('analyticRuleId32')]",
- "contentId": "[variables('_analyticRulecontentId32')]",
+ "description": "Threat Intelligence Analytics Rule 41",
+ "parentId": "[variables('analyticRuleObject41').analyticRuleId41]",
+ "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion32')]",
+ "version": "[variables('analyticRuleObject41').analyticRuleVersion41]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6054,41 +7326,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId32')]",
+ "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map URL Entity to SecurityAlert Data",
- "contentProductId": "[variables('_analyticRulecontentProductId32')]",
- "id": "[variables('_analyticRulecontentProductId32')]",
- "version": "[variables('analyticRuleVersion32')]"
+ "displayName": "TI Map URL Entity to Syslog Data",
+ "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]",
+ "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]",
+ "version": "[variables('analyticRuleObject41').analyticRuleVersion41]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName33')]",
+ "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion33')]",
+ "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId33')]",
+ "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.",
- "displayName": "TI Map URL Entity to Syslog Data",
+ "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.",
+ "displayName": "TI Map URL Entity to UrlClickEvents",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet UrlClickEvents_ = materialize(UrlClickEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | extend UrlClickEvents_TimeGenerated = TimeGenerated);\nlet ChainReportID = UrlClickEvents_\n | mv-expand todynamic(UrlChain)\n | extend UrlChain = tolower(UrlChain)\n | project ReportId, Url, UrlChain;\n// Url is not always in UrlChain, so we need to check both\nlet ClickedUrls = \n (union isfuzzy=false (ChainReportID), (ChainReportID | project Url = UrlChain))\n | distinct Url\n | summarize make_list(Url);\nlet TI = materialize(ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | where isnotempty(Url) and tolower(Url) in (ClickedUrls)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | project-rename TI_Url = Url, TI_Type = Type\n );\n(union isfuzzy=false (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.UrlChain),\n (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.Url))\n| project-away UrlChain\n| join kind=innerunique (UrlClickEvents_) on ReportId\n| where UrlClickEvents_TimeGenerated < ExpirationDateTime\n| summarize UrlClickEvents_TimeGenerated = arg_max(UrlClickEvents_TimeGenerated, *) by IndicatorId\n| project UrlClickEvents_TimeGenerated, AccountUpn, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, NetworkMessageId\n| extend timestamp = UrlClickEvents_TimeGenerated\n| extend timestamp = UrlClickEvents_TimeGenerated, Name = tostring(split(AccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(AccountUpn, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -6099,28 +7371,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
"dataTypes": [
- "Syslog"
- ]
+ "UrlClickEvents"
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -6128,20 +7400,15 @@
],
"entityMappings": [
{
- "entityType": "Host",
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "Computer"
- }
- ]
- },
- {
- "entityType": "IP",
- "fieldMappings": [
+ "identifier": "Name",
+ "columnName": "Name"
+ },
{
- "identifier": "Address",
- "columnName": "HostIP"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
]
},
@@ -6160,13 +7427,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 33",
- "parentId": "[variables('analyticRuleId33')]",
- "contentId": "[variables('_analyticRulecontentId33')]",
+ "description": "Threat Intelligence Analytics Rule 42",
+ "parentId": "[variables('analyticRuleObject42').analyticRuleId42]",
+ "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion33')]",
+ "version": "[variables('analyticRuleObject42').analyticRuleVersion42]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6191,33 +7458,33 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId33')]",
+ "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
"contentKind": "AnalyticsRule",
- "displayName": "TI Map URL Entity to Syslog Data",
- "contentProductId": "[variables('_analyticRulecontentProductId33')]",
- "id": "[variables('_analyticRulecontentProductId33')]",
- "version": "[variables('analyticRuleVersion33')]"
+ "displayName": "TI Map URL Entity to UrlClickEvents",
+ "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]",
+ "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]",
+ "version": "[variables('analyticRuleObject42').analyticRuleVersion42]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName34')]",
+ "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion34')]",
+ "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId34')]",
+ "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6225,7 +7492,7 @@
"description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.",
"displayName": "TI Map IP Entity to Duo Security",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where TimeGenerated >= ago(ioc_lookBack)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -6236,28 +7503,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -6292,13 +7559,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 34",
- "parentId": "[variables('analyticRuleId34')]",
- "contentId": "[variables('_analyticRulecontentId34')]",
+ "description": "Threat Intelligence Analytics Rule 43",
+ "parentId": "[variables('analyticRuleObject43').analyticRuleId43]",
+ "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion34')]",
+ "version": "[variables('analyticRuleObject43').analyticRuleVersion43]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6323,33 +7590,33 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId34')]",
+ "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
"contentKind": "AnalyticsRule",
"displayName": "TI Map IP Entity to Duo Security",
- "contentProductId": "[variables('_analyticRulecontentProductId34')]",
- "id": "[variables('_analyticRulecontentProductId34')]",
- "version": "[variables('analyticRuleVersion34')]"
+ "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]",
+ "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]",
+ "version": "[variables('analyticRuleObject43').analyticRuleVersion43]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName35')]",
+ "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion35')]",
+ "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId35')]",
+ "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6357,7 +7624,7 @@
"description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'",
"displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
"enabled": false,
- "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+ "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -6368,70 +7635,70 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "DNS",
"dataTypes": [
"DnsEvents"
- ]
+ ],
+ "connectorId": "DNS"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "InfobloxNIOS",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "InfobloxNIOS"
},
{
- "connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCP_DNS_CL"
- ]
+ ],
+ "connectorId": "GCPDNSDataConnector"
},
{
- "connectorId": "NXLogDnsLogs",
"dataTypes": [
"NXLog_DNS_Server_CL"
- ]
+ ],
+ "connectorId": "NXLogDnsLogs"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "CiscoUmbrellaDataConnector",
"dataTypes": [
"Cisco_Umbrella_dns_CL"
- ]
+ ],
+ "connectorId": "CiscoUmbrellaDataConnector"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
}
],
"tactics": [
@@ -6467,30 +7734,30 @@
}
],
"customDetails": {
- "DnsQuery": "DnsQuery",
"IndicatorId": "IndicatorId",
+ "ConfidenceScore": "ConfidenceScore",
+ "QueryType": "DnsQueryType",
"Description": "Description",
- "ThreatType": "ThreatType",
"ActivityGroupNames": "ActivityGroupNames",
+ "ThreatType": "ThreatType",
+ "DnsQuery": "DnsQuery",
"DNSRequestTime": "DNS_TimeGenerated",
- "QueryType": "DnsQueryType",
+ "ExpirationDateTime": "ExpirationDateTime",
"SourceIPAddress": "SrcIpAddr",
- "ConfidenceScore": "ConfidenceScore",
- "LatestIndicatorTime": "LatestIndicatorTime",
- "ExpirationDateTime": "ExpirationDateTime"
+ "LatestIndicatorTime": "LatestIndicatorTime"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 35",
- "parentId": "[variables('analyticRuleId35')]",
- "contentId": "[variables('_analyticRulecontentId35')]",
+ "description": "Threat Intelligence Analytics Rule 44",
+ "parentId": "[variables('analyticRuleObject44').analyticRuleId44]",
+ "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion35')]",
+ "version": "[variables('analyticRuleObject44').analyticRuleVersion44]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6515,41 +7782,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId35')]",
+ "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
"contentKind": "AnalyticsRule",
"displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
- "contentProductId": "[variables('_analyticRulecontentProductId35')]",
- "id": "[variables('_analyticRulecontentProductId35')]",
- "version": "[variables('analyticRuleVersion35')]"
+ "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]",
+ "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]",
+ "version": "[variables('analyticRuleObject44').analyticRuleVersion44]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName36')]",
+ "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion36')]",
+ "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId36')]",
+ "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies DNS requests for which response IP address is a known IoC.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.",
+ "description": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.",
"displayName": "TI map IP entity to DNS Events (ASIM DNS schema)",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = \nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n| where IoC != \"NO_IP\"\n;\nIP_TI\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n(\n_Im_Dns(starttime=ago(dt_lookBack))\n| where isnotempty(DnsResponseName)\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\n| extend addresses = extract_all (@'(\\d+\\.\\d+\\.\\d+\\.\\d+)', DnsResponseName)\n| mv-expand IoC = addresses to typeof(string)\n)\non IoC\n| where imDns_mintime < ExpirationDateTime\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = \nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n| where IoC != \"NO_IP\"\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\nIP_TI\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n(\n_Im_Dns(starttime=ago(dt_lookBack))\n| where isnotempty(DnsResponseName)\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\n| extend addresses = extract_all (@'(\\d+\\.\\d+\\.\\d+\\.\\d+)', DnsResponseName)\n| mv-expand IoC = addresses to typeof(string)\n)\non IoC\n| where imDns_mintime < ExpirationDateTime\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -6560,70 +7827,70 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "DNS",
"dataTypes": [
"DnsEvents"
- ]
+ ],
+ "connectorId": "DNS"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "InfobloxNIOS",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "InfobloxNIOS"
},
{
- "connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCP_DNS_CL"
- ]
+ ],
+ "connectorId": "GCPDNSDataConnector"
},
{
- "connectorId": "NXLogDnsLogs",
"dataTypes": [
"NXLog_DNS_Server_CL"
- ]
+ ],
+ "connectorId": "NXLogDnsLogs"
},
{
- "connectorId": "CiscoUmbrellaDataConnector",
"dataTypes": [
"Cisco_Umbrella_dns_CL"
- ]
+ ],
+ "connectorId": "CiscoUmbrellaDataConnector"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
}
],
"tactics": [
@@ -6659,33 +7926,33 @@
}
],
"customDetails": {
- "DnsQuery": "DnsQuery",
"IndicatorId": "IndicatorId",
+ "ConfidenceScore": "ConfidenceScore",
"Description": "Description",
- "ThreatType": "ThreatType",
"ActivityGroupNames": "ActivityGroupNames",
+ "ThreatType": "ThreatType",
+ "DnsQuery": "DnsQuery",
"DNSRequestTime": "imDns_mintime",
+ "ExpirationDateTime": "ExpirationDateTime",
"SourceIPAddress": "SrcIpAddr",
- "ConfidenceScore": "ConfidenceScore",
- "LatestIndicatorTime": "LatestIndicatorTime",
- "ExpirationDateTime": "ExpirationDateTime"
+ "LatestIndicatorTime": "LatestIndicatorTime"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC",
- "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator."
+ "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
+ "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 36",
- "parentId": "[variables('analyticRuleId36')]",
- "contentId": "[variables('_analyticRulecontentId36')]",
+ "description": "Threat Intelligence Analytics Rule 45",
+ "parentId": "[variables('analyticRuleObject45').analyticRuleId45]",
+ "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion36')]",
+ "version": "[variables('analyticRuleObject45').analyticRuleVersion45]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6710,41 +7977,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId36')]",
+ "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
"contentKind": "AnalyticsRule",
"displayName": "TI map IP entity to DNS Events (ASIM DNS schema)",
- "contentProductId": "[variables('_analyticRulecontentProductId36')]",
- "id": "[variables('_analyticRulecontentProductId36')]",
- "version": "[variables('analyticRuleVersion36')]"
+ "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]",
+ "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]",
+ "version": "[variables('analyticRuleObject45').analyticRuleVersion45]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName37')]",
+ "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion37')]",
+ "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId37')]",
+ "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
+ "description": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
"displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)",
"enabled": false,
- "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n | where TI_ipEntity != \"NO_IP\"\n);\nIP_TI\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique \n(\n _Im_NetworkSession (starttime=ago(dt_lookBack))\n | where isnotempty(SrcIpAddr)\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\n | project-rename SrcMatch = Active\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\n | project-rename DstMatch = Active\n | where SrcMatch or DstMatch\n | extend \n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n)on $left.TI_ipEntity == $right.IoCIP\n| where imNWS_mintime < ExpirationDateTime\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n | where TI_ipEntity != \"NO_IP\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n);\nIP_TI\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique \n(\n _Im_NetworkSession (starttime=ago(dt_lookBack))\n | where isnotempty(SrcIpAddr)\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\n | project-rename SrcMatch = Active\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\n | project-rename DstMatch = Active\n | where SrcMatch or DstMatch\n | extend \n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n)on $left.TI_ipEntity == $right.IoCIP\n| where imNWS_mintime < ExpirationDateTime\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
@@ -6755,107 +8022,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
+ },
+ {
+ "dataTypes": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
}
],
"tactics": [
@@ -6874,31 +8147,31 @@
],
"customDetails": {
"IndicatorId": "IndicatorId",
- "IoCConfidenceScore": "ConfidenceScore",
- "IoCDescription": "Description",
+ "IoCIPDirection": "IoCDirection",
"IoCExpirationTime": "ExpirationDateTime",
- "EventEndTime": "imNWS_maxtime",
+ "IoCDescription": "Description",
"ActivityGroupNames": "ActivityGroupNames",
"ThreatType": "ThreatType",
- "IoCIPDirection": "IoCDirection",
- "EventStartTime": "imNWS_mintime"
+ "EventStartTime": "imNWS_mintime",
+ "IoCConfidenceScore": "ConfidenceScore",
+ "EventEndTime": "imNWS_maxtime"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.",
- "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator."
+ "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.",
+ "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 37",
- "parentId": "[variables('analyticRuleId37')]",
- "contentId": "[variables('_analyticRulecontentId37')]",
+ "description": "Threat Intelligence Analytics Rule 46",
+ "parentId": "[variables('analyticRuleObject46').analyticRuleId46]",
+ "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion37')]",
+ "version": "[variables('analyticRuleObject46').analyticRuleVersion46]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -6923,33 +8196,33 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId37')]",
+ "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
"contentKind": "AnalyticsRule",
"displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)",
- "contentProductId": "[variables('_analyticRulecontentProductId37')]",
- "id": "[variables('_analyticRulecontentProductId37')]",
- "version": "[variables('analyticRuleVersion37')]"
+ "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]",
+ "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]",
+ "version": "[variables('analyticRuleObject46').analyticRuleVersion46]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName38')]",
+ "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion38')]",
+ "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId38')]",
+ "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6957,9 +8230,9 @@
"description": "Identifies a match in GitHub_CL table from any IP IOC from TI",
"displayName": "TI map IP entity to GitHub_CL",
"enabled": false,
- "query": "ThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
+ "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where Action == true\n| where TimeGenerated >= ago(ioc_lookBack)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n GitHubAudit\n | where TimeGenerated >= ago(dt_lookBack)\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
"queryFrequency": "PT1H",
- "queryPeriod": "P1D",
+ "queryPeriod": "P14D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
@@ -6968,22 +8241,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "ThreatIntelligenceTaxii",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "ThreatIntelligenceTaxii"
},
{
- "connectorId": "MicrosoftDefenderThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
+ ],
+ "connectorId": "MicrosoftDefenderThreatIntelligence"
}
],
"tactics": [
@@ -7014,13 +8287,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]",
"properties": {
- "description": "Threat Intelligence Analytics Rule 38",
- "parentId": "[variables('analyticRuleId38')]",
- "contentId": "[variables('_analyticRulecontentId38')]",
+ "description": "Threat Intelligence Analytics Rule 47",
+ "parentId": "[variables('analyticRuleObject47').analyticRuleId47]",
+ "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion38')]",
+ "version": "[variables('analyticRuleObject47').analyticRuleVersion47]",
"source": {
"kind": "Solution",
"name": "Threat Intelligence",
@@ -7045,12 +8318,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId38')]",
+ "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
"contentKind": "AnalyticsRule",
"displayName": "TI map IP entity to GitHub_CL",
- "contentProductId": "[variables('_analyticRulecontentProductId38')]",
- "id": "[variables('_analyticRulecontentProductId38')]",
- "version": "[variables('analyticRuleVersion38')]"
+ "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]",
+ "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]",
+ "version": "[variables('analyticRuleObject47').analyticRuleVersion47]"
}
},
{
@@ -7058,12 +8331,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Threat Intelligence",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.
\nData Connectors: 4, Workbooks: 1, Analytic Rules: 38, Hunting Queries: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.
\nData Connectors: 4, Workbooks: 1, Analytic Rules: 47, Hunting Queries: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -7115,218 +8388,263 @@
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
+ "version": "[variables('analyticRuleObject11').analyticRuleVersion11]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
+ "version": "[variables('analyticRuleObject12').analyticRuleVersion12]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
+ "version": "[variables('analyticRuleObject13').analyticRuleVersion13]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "version": "[variables('analyticRuleObject14').analyticRuleVersion14]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "version": "[variables('analyticRuleObject15').analyticRuleVersion15]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "version": "[variables('analyticRuleObject16').analyticRuleVersion16]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId11')]",
- "version": "[variables('analyticRuleVersion11')]"
+ "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "version": "[variables('analyticRuleObject20').analyticRuleVersion20]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId12')]",
- "version": "[variables('analyticRuleVersion12')]"
+ "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "version": "[variables('analyticRuleObject21').analyticRuleVersion21]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId13')]",
- "version": "[variables('analyticRuleVersion13')]"
+ "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "version": "[variables('analyticRuleObject22').analyticRuleVersion22]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId14')]",
- "version": "[variables('analyticRuleVersion14')]"
+ "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "version": "[variables('analyticRuleObject23').analyticRuleVersion23]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId15')]",
- "version": "[variables('analyticRuleVersion15')]"
+ "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
+ "version": "[variables('analyticRuleObject24').analyticRuleVersion24]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId16')]",
- "version": "[variables('analyticRuleVersion16')]"
+ "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
+ "version": "[variables('analyticRuleObject25').analyticRuleVersion25]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId17')]",
- "version": "[variables('analyticRuleVersion17')]"
+ "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
+ "version": "[variables('analyticRuleObject26').analyticRuleVersion26]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId18')]",
- "version": "[variables('analyticRuleVersion18')]"
+ "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
+ "version": "[variables('analyticRuleObject27').analyticRuleVersion27]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId19')]",
- "version": "[variables('analyticRuleVersion19')]"
+ "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
+ "version": "[variables('analyticRuleObject28').analyticRuleVersion28]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId20')]",
- "version": "[variables('analyticRuleVersion20')]"
+ "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
+ "version": "[variables('analyticRuleObject29').analyticRuleVersion29]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId21')]",
- "version": "[variables('analyticRuleVersion21')]"
+ "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
+ "version": "[variables('analyticRuleObject30').analyticRuleVersion30]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId22')]",
- "version": "[variables('analyticRuleVersion22')]"
+ "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
+ "version": "[variables('analyticRuleObject31').analyticRuleVersion31]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId23')]",
- "version": "[variables('analyticRuleVersion23')]"
+ "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
+ "version": "[variables('analyticRuleObject32').analyticRuleVersion32]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId24')]",
- "version": "[variables('analyticRuleVersion24')]"
+ "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
+ "version": "[variables('analyticRuleObject33').analyticRuleVersion33]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId25')]",
- "version": "[variables('analyticRuleVersion25')]"
+ "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
+ "version": "[variables('analyticRuleObject34').analyticRuleVersion34]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId26')]",
- "version": "[variables('analyticRuleVersion26')]"
+ "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
+ "version": "[variables('analyticRuleObject35').analyticRuleVersion35]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId27')]",
- "version": "[variables('analyticRuleVersion27')]"
+ "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
+ "version": "[variables('analyticRuleObject36').analyticRuleVersion36]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId28')]",
- "version": "[variables('analyticRuleVersion28')]"
+ "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
+ "version": "[variables('analyticRuleObject37').analyticRuleVersion37]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId29')]",
- "version": "[variables('analyticRuleVersion29')]"
+ "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
+ "version": "[variables('analyticRuleObject38').analyticRuleVersion38]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId30')]",
- "version": "[variables('analyticRuleVersion30')]"
+ "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
+ "version": "[variables('analyticRuleObject39').analyticRuleVersion39]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId31')]",
- "version": "[variables('analyticRuleVersion31')]"
+ "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
+ "version": "[variables('analyticRuleObject40').analyticRuleVersion40]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId32')]",
- "version": "[variables('analyticRuleVersion32')]"
+ "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
+ "version": "[variables('analyticRuleObject41').analyticRuleVersion41]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId33')]",
- "version": "[variables('analyticRuleVersion33')]"
+ "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
+ "version": "[variables('analyticRuleObject42').analyticRuleVersion42]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId34')]",
- "version": "[variables('analyticRuleVersion34')]"
+ "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
+ "version": "[variables('analyticRuleObject43').analyticRuleVersion43]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId35')]",
- "version": "[variables('analyticRuleVersion35')]"
+ "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
+ "version": "[variables('analyticRuleObject44').analyticRuleVersion44]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId36')]",
- "version": "[variables('analyticRuleVersion36')]"
+ "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
+ "version": "[variables('analyticRuleObject45').analyticRuleVersion45]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId37')]",
- "version": "[variables('analyticRuleVersion37')]"
+ "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
+ "version": "[variables('analyticRuleObject46').analyticRuleVersion46]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId38')]",
- "version": "[variables('analyticRuleVersion38')]"
+ "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
+ "version": "[variables('analyticRuleObject47').analyticRuleVersion47]"
}
]
},
diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md
index 1f5d9220ca..ebeba0c112 100644
--- a/Solutions/Threat Intelligence/ReleaseNotes.md
+++ b/Solutions/Threat Intelligence/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytic Rules** |
+| 3.0.2 | 23-10-2023 | Updated KQL of analytic rules to improve performance in large datasets |
+| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytical Rules** |
| 3.0.0 | 14-08-2023 | Modified **Analytical Rule** (TI map Domain entity to SecurityAlert). Updated dynamic([1]) to dynamic([1,1]) so as to make result array of array consistent. |
| | | Updated **Hunting Queries** to have descriptions that meet the 255 characters limit. |
diff --git a/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json b/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json
index 4c067fefee..de23a683ac 100644
--- a/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json
+++ b/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json
@@ -125,7 +125,7 @@
{
"type": 1,
"content": {
- "json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\n"
+ "json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\n"
},
"conditionalVisibility": {
"parameterName": "Help",
diff --git a/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml b/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml
index 986f04264a..66f70838cf 100644
--- a/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml
+++ b/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml
@@ -43,18 +43,25 @@ query: |
| project-away TargetAccount1, TargetSid1
| extend Reason = @"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours"
| order by Time_Event4722 asc
- | extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722
| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid
+ | extend HostName = tostring(split(Computer_4722, ".")[0]), DomainIndex = toint(indexof(Computer_4722, '.'))
+ | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer_4722, DomainIndex + 1), Computer_4722)
+ | extend AccountName = tostring(split(TargetAccount, "\\")[1]), AccountNTDomain = tostring(split(TargetAccount, "\\")[0])
+ | project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- - identifier: FullName
- columnName: AccountCustomEntity
+ - identifier: Name
+ columnName: AccountName
+ - identifier: NTDomain
+ columnName: AccountNTDomain
- identifier: Sid
columnName: TargetSid
- entityType: Host
fieldMappings:
- - identifier: FullName
- columnName: HostCustomEntity
-version: 1.0.1
+ - identifier: HostName
+ columnName: HostName
+ - identifier: DnsDomain
+ columnName: HostNameDomain
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
index 5f9d14f6fb..1e5b388c6e 100644
--- a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
+++ b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
@@ -261,6 +261,7 @@ try
Write-Host "Package Generated Successfully!!"
# check if mainTemplate and createUiDefinition json files are valid or not
+ $solutionFolderBasePath = ($pipelineBasePath + "/" + "Solutions/" + $pipelineSolutionName).Replace("//", "/")
CheckJsonIsValid($solutionFolderBasePath)
}
}
diff --git a/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png
new file mode 100644
index 0000000000..4ccaef8d58
Binary files /dev/null and b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png differ
diff --git a/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png
new file mode 100644
index 0000000000..0faa722fd0
Binary files /dev/null and b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png differ
diff --git a/Workbooks/UserEntityBehaviorAnalytics.json b/Workbooks/UserEntityBehaviorAnalytics.json
index 54e46f63ee..a60d21ca73 100644
--- a/Workbooks/UserEntityBehaviorAnalytics.json
+++ b/Workbooks/UserEntityBehaviorAnalytics.json
@@ -1,761 +1,3109 @@
{
- "styleSettings": {},
- "fromTemplateId": "sentinel-UserAndEntityBehaviorAnalytics",
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json",
- "version": "Notebook/1.0",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# User and Entity Behavior Analytics\n---\n\nWelcome to the User and Entity Behavior Analytics workbook. The workbook provides a guided investigation\nfor entities based on open incidents, alerts and anomalies identified by the UEBA engine. "
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# User and Entity Behavior Analytics\n---\n\nWelcome to the User and Entity Behavior Analytics workbook. The workbook provides a guided investigation\nfor entities based on open incidents, alerts and anomalies identified by the UEBA engine."
+ },
+ "name": "Title Text"
},
- "name": "text - 2"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "36cdaf52-4303-405d-ac9c-de2037db99c3",
- "version": "KqlParameterItem/1.0",
- "name": "TimeRange",
- "label": "Time Range",
- "type": 4,
- "value": {
- "durationMs": 2419200000
- },
- "typeSettings": {
- "selectableValues": [
- {
- "durationMs": 1800000
- },
- {
- "durationMs": 3600000
- },
- {
- "durationMs": 14400000
- },
- {
- "durationMs": 43200000
- },
- {
- "durationMs": 86400000
- },
- {
- "durationMs": 172800000
- },
- {
- "durationMs": 259200000
- },
- {
- "durationMs": 604800000
- },
- {
- "durationMs": 1209600000
- },
- {
- "durationMs": 2419200000
- },
- {
- "durationMs": 2592000000
- },
- {
- "durationMs": 5184000000
- },
- {
- "durationMs": 7776000000
- }
- ]
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "36cdaf52-4303-405d-ac9c-de2037db99c3",
+ "version": "KqlParameterItem/1.0",
+ "name": "TimeRange",
+ "label": "Time Range",
+ "type": 4,
+ "isRequired": true,
+ "typeSettings": {
+ "selectableValues": [
+ {
+ "durationMs": 172800000
+ },
+ {
+ "durationMs": 259200000
+ },
+ {
+ "durationMs": 604800000
+ },
+ {
+ "durationMs": 1209600000
+ },
+ {
+ "durationMs": 2592000000
+ }
+ ],
+ "allowCustom": true
+ },
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": {
+ "durationMs": 1209600000
+ }
},
- "timeContext": {
- "durationMs": 86400000
+ {
+ "id": "c4470c37-5a8a-4ecd-8ece-5e98db8e8a92",
+ "version": "KqlParameterItem/1.0",
+ "name": "Help",
+ "label": "Show Help",
+ "type": 10,
+ "description": "This will show some help information to help you understand the page you are on",
+ "isRequired": true,
+ "value": "Yes",
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]"
}
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 2"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| summarize IncidentCount=count() \r\n| project \"Open Incidents\", IncidentCount",
- "size": 4,
- "timeContext": {
- "durationMs": 2419200000
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
},
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "Column1"
- },
- "leftContent": {
- "columnMatch": "IncidentCount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- "showBorder": false,
- "size": "auto"
- }
+ "name": "TimeRangeParameterDefinition"
},
- "customWidth": "10",
- "name": "query - 16"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| summarize AlertCount=count()\r\n| project \"Alert Count\",AlertCount;\r\nTotalAlertsCount\r\n",
- "size": 4,
- "timeContext": {
- "durationMs": 2419200000
+ {
+ "type": 1,
+ "content": {
+ "json": "See below how many incidents and alerts were created during the time range selected in the time range picker above. Likewise, you will see the number of Anomalies that were triggered. To learn more about Anomalies, please click [here](https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules).",
+ "style": "info"
},
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "Column1",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "AlertCount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- }
- },
- "showBorder": false,
- "size": "auto"
- }
- },
- "customWidth": "10",
- "name": "query - 18"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nAnomalyTable\r\n| summarize AnomaliesCount=count()\r\n| project \"Anomalies Count\", AnomaliesCount",
- "size": 4,
- "timeContext": {
- "durationMs": 2419200000
+ "conditionalVisibility": {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
},
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "Column1",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "AnomaliesCount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- },
- "showBorder": false,
- "size": "auto"
- }
+ "name": "General info help message"
},
- "customWidth": "10",
- "name": "query - 17",
- "styleSettings": {
- "margin": "12"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\n\r\n\r\nlet TotalAnomaliesCount = AnomalyTable\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Anomalies Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}\r\n) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Alerts Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalIncidentsCount=SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d \r\n| extend series = \"Incidents Trend\"\r\n| project series, count_, TimeGenerated;\r\nTotalIncidentsCount | union TotalAlertsCount, TotalAnomaliesCount\r\n\r\n\r\n",
- "size": 1,
- "timeContext": {
- "durationMs": 2419200000
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "linechart",
- "chartSettings": {
- "seriesLabelSettings": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "General Info",
+ "items": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "General Incident Summary",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| summarize IncidentCount=count() \r\n| project \"New or active incidents\", IncidentCount",
+ "size": 4,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "Column1"
+ },
+ "leftContent": {
+ "columnMatch": "IncidentCount",
+ "formatter": 12,
+ "formatOptions": {
+ "min": 0,
+ "palette": "redDark"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ "showBorder": false,
+ "size": "auto"
+ }
+ },
+ "customWidth": "12",
+ "name": "GeneralInfo - Open Incidents",
+ "styleSettings": {
+ "maxWidth": "12"
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}) on $left.AlertId == $right.SystemAlertId\r\n| where Status != \"Resolved\" or Status != \"Dismissed\" \r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| summarize AlertCount=count()\r\n| project \"New or active alerts\",AlertCount;\r\nTotalAlertsCount\r\n",
+ "size": 4,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "Column1",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "AlertCount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ "showBorder": false,
+ "size": "auto"
+ }
+ },
+ "customWidth": "12",
+ "name": "GeneralInfo - Alert Count",
+ "styleSettings": {
+ "maxWidth": "12"
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize AnomalyCount=count()\r\n| project \"Anomaly Count\", AnomalyCount",
+ "size": 4,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "Column1",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "AnomalyCount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ "showBorder": false,
+ "size": "auto"
+ }
+ },
+ "customWidth": "12",
+ "name": "GeneralInfo - Alert Count",
+ "styleSettings": {
+ "maxWidth": "12"
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let TotalAnomaliesCount = Anomalies\r\n| summarize by TenantId, TimeGenerated\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Anomalies Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}\r\n) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Alerts Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalIncidentsCount=SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d \r\n| extend series = \"Incidents Trend\"\r\n| project series, count_, TimeGenerated;\r\nTotalIncidentsCount | union TotalAlertsCount, TotalAnomaliesCount\r\n\r\n\r\n",
+ "size": 1,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "linechart",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ {
+ "seriesName": "Incidents Trend",
+ "label": "Incidents",
+ "color": "red"
+ },
+ {
+ "seriesName": "Alerts Trend",
+ "label": "Alerts",
+ "color": "orange"
+ },
+ {
+ "seriesName": "Anomalies Trend",
+ "label": "Anomalies",
+ "color": "blueDark"
+ }
+ ]
+ }
+ },
+ "customWidth": "60",
+ "name": "GeneralInfo - TimeSeries",
+ "styleSettings": {
+ "maxWidth": "60"
+ }
+ }
+ ]
+ },
+ "customWidth": "100",
+ "name": "General Incident Summary",
+ "styleSettings": {
+ "maxWidth": "100"
+ }
+ },
{
- "seriesName": "Incidents Trend",
- "label": "Incidents Counts",
- "color": "blue"
+ "type": 1,
+ "content": {
+ "json": "Below you will find the total number of anomalies, plus how many of those have an account or an IP entity. Note that we are also counting anomalies that involve known hosts, but as are currently not mapped as entities. The query for \"Anomalies with hosts\" counts the hosts that were parsed out of the following entity enrichments: \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\". See more about these [here](https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#device-used-to-connect).\r\n",
+ "style": "info"
+ },
+ "conditionalVisibility": {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ "name": "Anomalies help"
},
{
- "seriesName": "Alerts Trend",
- "label": "Alerts Counts",
- "color": "redBright"
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Anomaly Summary",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| count",
+ "size": 4,
+ "title": "Total anomalies",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ "showBorder": false
+ }
+ },
+ "customWidth": "20",
+ "name": "AnomalyInfo - Anomalies"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| count",
+ "size": 4,
+ "title": "Anomalies with account entity",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {},
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ "showBorder": false
+ }
+ },
+ "customWidth": "20",
+ "name": "AnomalyInfo - Account Anomaly"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| count",
+ "size": 4,
+ "title": "Anomalies with IP entity",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {},
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ "showBorder": false
+ }
+ },
+ "customWidth": "20",
+ "name": "AnomalyInfo - IP Anomaly"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Currently there is no mapping with hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nAnomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| count",
+ "size": 4,
+ "title": "Anomalies with a host",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {},
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ "showBorder": false
+ }
+ },
+ "customWidth": "20",
+ "name": "AnomalyInfo - Host Anomaly"
+ }
+ ]
+ },
+ "name": "Anomaly Summary"
}
]
- }
- },
- "customWidth": "70",
- "name": "query - 19"
- },
- {
- "type": 1,
- "content": {
- "json": "## Top users to investigate - by Incidents, alerts & anomalies\r\n---\r\n"
- },
- "name": "text - 3"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalousSigninActivity = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\n| join (\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Persistence\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\nlet AnomalousRoleAssignment = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Add member to role\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = tostring(TargetResources.userPrincipalName)\n| join kind=inner ( BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Add member to role\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend AnomalyName = \"Anomalous Role Assignemt\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\nBehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\");\nlet AnomalousResourceAccess = LogOns\n| where ActionType == \"ResourceAccess\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous Resource Access\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousRDPActivity = LogOns\n| where ActionType == \"RemoteInteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous RDP Activity\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousLogintoDevices = LogOns\n| where ActionType == \"InteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\n| extend AnomalyName = \"Anomalous Login To Devices\",\n Tactic = \"Privilege Escalation\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousPasswordReset = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Reset user password\"\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\n| join (\nAuditLogs\n | where TimeGenerated {TimeRange:query}\n | where OperationName == \"Reset user password\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Password Reset\",\n Tactic = \"Impact\",\n Technique = \"Account Access Removal\",\n SubTechnique = \"\",\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\n| join (\nSigninLogs\n | where TimeGenerated {TimeRange:query}\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Initial Access\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousFailedLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\"\n| where UsersInsights.BlastRadius == \"High\"\n| join (\n SigninLogs \n | where TimeGenerated {TimeRange:query}\n | where Status.errorCode == 50126\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Failed Logon\",\n Tactic = \"Credential Access\",\n Technique = \"Brute Force\",\n SubTechnique = \"Password Guessing\",\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousAADAccountManipulation = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Update user\"\n| mv-expand AdditionalDetails\n| where AdditionalDetails.key == \"UserPrincipalName\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| join kind=inner ( \n BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Update user\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \n| extend AnomalyName = \"Anomalous Account Manipulation\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Add user\"\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\n| join(\nAuditLogs\n | where TimeGenerated {TimeRange:query} \n | where OperationName == \"Add user\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Account Creation\",\n Tactic = \"Persistence\",\n Technique = \"Create Account\",\n SubTechnique = \"Cloud Account\",\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\nlet TopUsersByAnomalies = AnomalyTable\n| summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\n| project Name=tolower(UserName),UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\n| sort by AnomalyCount desc;\nlet TopUsersByIncidents = SecurityIncident\n| where TimeGenerated {TimeRange:query} \n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\n| where Status == \"New\" or Status == \"Active\"\n| mv-expand AlertIds\n| extend AlertId = tostring(AlertIds)\n| join kind= innerunique ( \nSecurityAlert | where TimeGenerated {TimeRange:query} \n) on $left.AlertId == $right.SystemAlertId\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\n| mv-expand todynamic(Entities)\n| where Entities[\"Type\"] =~ \"account\"\n| extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]) , Host = tostring(Entities[\"Host\"])\n| extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\n| union TopUsersByAnomalies\n| extend \n AadPivot = iff(isempty(AadUserId),iff(isempty(Sid),Name,Sid),AadUserId),\n SidPivot = iff(isempty(Sid),iff(isempty(AadUserId),Name,AadUserId),Sid),\n UPNExists = iff(isempty(UPN), false,true),\n NameExists = iff(isempty(Name), false,true),\n SidExists = iff(isempty(Sid), false,true),\n AADExists = iff(isempty(AadUserId), false,true)\n| summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber,4),AlertCount=dcountif(AlertId,isnotempty(AlertId),4),AnomalyCount=sum(AnomalyCount),any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true),NameAnchor=anyif(Name, NameExists == true),AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true) , any(SidPivot) by AadPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount),AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title,any_Severity,any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity,any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\n| project [\"UserName\"]=NameAnchor,IncidentCount, AlertCount,AnomalyCount, [\"AadUserId\"]=AadAnchor,[\"OnPremSid\"]=SidAnchor , [\"UserPrincipalName\"]=UPNAnchor;\nTopUsersByIncidents\n| sort by IncidentCount, AlertCount, AnomalyCount desc\n",
- "size": 1,
- "showAnalytics": true,
- "timeContext": {
- "durationMs": 2419200000
},
- "timeContextFromParameter": "TimeRange",
- "exportedParameters": [
- {
- "fieldName": "UserPrincipalName",
- "parameterName": "SelectedUser",
- "parameterType": 1
- },
- {
- "fieldName": "UserName",
- "parameterName": "UserName",
- "parameterType": 1,
- "defaultValue": "None"
- },
- {
- "fieldName": "AadUserId",
- "parameterName": "UserObjectId",
- "parameterType": 1
- },
- {
- "fieldName": "OnPremSid",
- "parameterName": "UserSid",
- "parameterType": 1
- },
- {
- "fieldName": "AnomalyCount",
- "parameterName": "AnomalyCount",
- "parameterType": 1,
- "defaultValue": "0"
- }
- ],
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redDark"
+ "name": "General Info"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "Below you will find incidents that have entities involved in anomalies created up to 3 days prior to the incident creation.
Expand each entity to find the anomalies. When you click on the anomalies, you will visualize them on the right-hand side.
Finally, click on each of the anomalies to see anomaly reasons and device insights. Note that device insights are empty when there is no relevant information to show.",
+ "style": "info"
+ },
+ "conditionalVisibility": {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ "name": "Help text for incidents with entities"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let TopUsersByAnomalies = Anomalies\r\n | mv-expand Entities\r\n | where tostring(Entities) contains '\"Type\":\"account\"'\r\n | project\r\n TimeGenerated,\r\n AnomalyID = Id,\r\n AadUserId=tostring(Entities.AadUserId),\r\n DisplayName=tostring(Entities.DisplayName),\r\n OriginalName=tostring(Entities.Name),\r\n AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix),\r\n OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n | extend\r\n Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName),\r\n UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName; \r\nlet TopIPsByAnomalies= Anomalies\r\n | mv-expand Entities\r\n | where tostring(Entities) contains '\"Type\":\"ip\"'\r\n | project TimeGenerated, IPentity=tostring(Entities.Address), AnomalyID = Id;\r\nlet DeviceAnomalyName = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]);\r\nlet TopHostsByAnomalies =Anomalies\r\n | mv-expand AnomalyReasons\r\n | where tostring(AnomalyReasons.Name) in (DeviceAnomalyName)\r\n | extend DeviceRegex = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n | extend DeviceName = tolower(DeviceRegex)\r\n | project-rename AnomalyID = Id;\r\nlet IncidentsWithEntities = SecurityIncident\r\n | summarize TimeGenerated=max(TimeGenerated), AlertIds=make_set(AlertIds) by IncidentNumber, IncidentUrl, Title\r\n | mv-expand AlertIds\r\n | project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated, IncidentUrl, Title \r\n | join kind = inner ( \r\n SecurityAlert\r\n | distinct SystemAlertId, Entities\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n or Entities[\"Type\"] =~ \"ip\"\r\n or Entities[\"Type\"] =~ \"host\"\r\n | project\r\n SystemAlertId,\r\n IPentity = tostring(tolower(Entities.Address)),\r\n DeviceName = tostring(tolower(Entities.HostName)),\r\n OriginalName = tostring(tolower(Entities.Name)),\r\n OriginalUPNSuffix = tostring(Entities.UPNSuffix),\r\n AadUserId = tostring(Entities.AadUserId)\r\n | extend\r\n Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName),\r\n UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName, OriginalUPNSuffix\r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | distinct\r\n TimeGenerated,\r\n IncidentNumber,\r\n IPentity,\r\n Name,\r\n AadUserId,\r\n DeviceName,\r\n UPNSuffix,\r\n IncidentUrl,\r\n Title\r\n;\r\nlet TopUserIncidents = IncidentsWithEntities\r\n | join kind= inner (TopUsersByAnomalies) on $left.Name == $right.Name\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n AadUserId= coalesce(Name, Name1),\r\n DisplayName,\r\n Name= coalesce(Name, Name1),\r\n AnomalyUPNSuffix,\r\n UPNSuffix = coalesce(UPNSuffix, UPNSuffix1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nlet TopIPIncidents = IncidentsWithEntities\r\n | join kind= inner (TopIPsByAnomalies) on $left.IPentity == $right.IPentity\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n IPentity = coalesce(IPentity, IPentity1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nlet TopHostsIncidents = IncidentsWithEntities\r\n | join kind= inner (TopHostsByAnomalies) on $left.DeviceName == $right.DeviceName\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n DeviceName = coalesce(DeviceName, DeviceName1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nTopUserIncidents\r\n| union TopIPIncidents, TopHostsIncidents\r\n| extend Entity1 = coalesce(Name, AadUserId, IPentity, DeviceName)\r\n| project\r\n TimeGenerated,\r\n IncidentNumber1 = strcat('📝', IncidentNumber),\r\n Title,\r\n IncidentUrl,\r\n IPentity,\r\n DeviceName,\r\n AadUserId,\r\n Name, \r\n UPNSuffix,\r\n DisplayName,\r\n Entity = strcat('Entity 🔎', Entity1),\r\n listOfAnomalyID\r\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "Incidents with entities present in anomalies created in the 3 preceding days",
+ "timeContextFromParameter": "TimeRange",
+ "exportFieldName": "listOfAnomalyID",
+ "exportParameterName": "listOfAnomalyID",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IncidentNumber",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "Url"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "IPentity",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "DeviceName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AadUserId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Name",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "UPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DisplayName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Entity",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "listOfAnomalyID",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "Entity1",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 5,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "rowLimit": 500,
+ "hierarchySettings": {
+ "treeType": 1,
+ "groupBy": [
+ "IncidentNumber1",
+ "Entity"
+ ],
+ "expandTopLevel": true,
+ "finalBy": "TimeGenerated"
+ },
+ "labelSettings": [
+ {
+ "columnId": "TimeGenerated",
+ "label": "Time Generated"
+ },
+ {
+ "columnId": "IncidentNumber1",
+ "label": "Incident number"
+ },
+ {
+ "columnId": "Title",
+ "label": "Incident name"
+ },
+ {
+ "columnId": "IncidentUrl",
+ "label": "Link to incident"
+ },
+ {
+ "columnId": "IPentity",
+ "label": "IPentity"
+ },
+ {
+ "columnId": "DeviceName",
+ "label": "DeviceName"
+ },
+ {
+ "columnId": "AadUserId",
+ "label": "AadUserId"
+ },
+ {
+ "columnId": "Name",
+ "label": "Name"
+ },
+ {
+ "columnId": "UPNSuffix",
+ "label": "UPNSuffix"
+ },
+ {
+ "columnId": "DisplayName",
+ "label": "DisplayName"
+ },
+ {
+ "columnId": "Entity",
+ "label": "Matching entity"
+ },
+ {
+ "columnId": "listOfAnomalyID",
+ "label": "List of Anomaly IDs"
+ }
+ ]
+ },
+ "sortBy": []
+ },
+ "customWidth": "40",
+ "name": "Incidents with entities present in anomalies",
+ "styleSettings": {
+ "maxWidth": "40"
}
- }
- ],
- "filter": true,
- "sortBy": [
+ },
{
- "itemKey": "AnomalyCount",
- "sortOrder": 2
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| where '{listOfAnomalyID}' contains Id\r\n| project Description, AnomalyTemplateName, RuleStatus, RuleName, Score, AnomalyReasons, DeviceInsights",
+ "size": 1,
+ "title": "Anomalies of selected incident",
+ "timeContextFromParameter": "TimeRange",
+ "exportedParameters": [
+ {
+ "fieldName": "AnomalyReasons",
+ "parameterName": "AnomalyReasonsP",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "DeviceInsights",
+ "parameterName": "DeviceInsightsP",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Description",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true,
+ "customColumnWidthSetting": "90%"
+ }
+ },
+ {
+ "columnMatch": "AnomalyTemplateName",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "RuleStatus",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Score",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyReasons",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DeviceInsights",
+ "formatter": 5
+ }
+ ]
+ },
+ "sortBy": []
+ },
+ "customWidth": "100",
+ "name": "Anomalies of selected incident",
+ "styleSettings": {
+ "maxWidth": "60"
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasonsP}\",\"transformers\":null}",
+ "size": 4,
+ "title": "Anomaly Reasons",
+ "queryType": 8,
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Value",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IsAnomalous",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "Yes"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "No"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "TypicalObservations",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Anomalous?",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "customWidth": "50",
+ "name": "User Anomalies - AnomalyReasons"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}",
+ "size": 4,
+ "title": "DeviceInsights",
+ "noDataMessage": "None available",
+ "queryType": 8
+ },
+ "customWidth": "50",
+ "name": "DeviceInsights"
+ }
+ ]
+ },
+ "customWidth": "60",
+ "name": "InsideGroupForSelectedEntity",
+ "styleSettings": {
+ "maxWidth": "60"
+ }
}
]
},
- "sortBy": [
- {
- "itemKey": "AnomalyCount",
- "sortOrder": 2
- }
- ]
- },
- "name": "query - 2"
- },
- {
- "type": 1,
- "content": {
- "json": "Select a user to view Incidents & Alerts & Anomalies breakdown",
- "style": "upsell"
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isEqualTo",
- "value": "None"
+ "name": "Incidents with anomalies"
},
- "name": "text - 6"
- },
- {
- "type": 1,
- "content": {
- "json": "## Incidents Breakdown: [{SelectedUser}]()\r\n---\r\n"
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
+ {
+ "type": 1,
+ "content": {
+ "json": "#### Use the tabs below to see users, IPs and hosts involved in incidents, alerts and anomalies. By selecting one user, IP or host from the list, you will visualize incidents and anomaly details from each one.",
+ "style": "info"
+ },
+ "conditionalVisibility": {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ "name": "Tabs help"
},
- "name": "text - 4"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb",
- "version": "KqlParameterItem/1.0",
- "name": "Severity",
- "type": 2,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All"
+ {
+ "type": 11,
+ "content": {
+ "version": "LinkItem/1.0",
+ "style": "tabs",
+ "links": [
+ {
+ "id": "3242e20b-3930-4c10-9c08-864eee8921b9",
+ "cellValue": "rankingTab",
+ "linkTarget": "parameter",
+ "linkLabel": "Users",
+ "subTarget": "Users",
+ "style": "link"
},
- "jsonData": "[\"Low\",\"Medium\",\"High\"]",
- "timeContext": {
- "durationMs": 86400000
- }
- },
- {
- "id": "994e7321-0462-4367-aae3-a69c6d61bf26",
- "version": "KqlParameterItem/1.0",
- "name": "Status",
- "type": 2,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All"
+ {
+ "id": "07d94953-ab1a-4d94-a1ac-a49c56370cc7",
+ "cellValue": "rankingTab",
+ "linkTarget": "parameter",
+ "linkLabel": "IPs",
+ "subTarget": "IPs",
+ "style": "link"
},
- "jsonData": "[\"New\",\"Active\"]",
- "timeContext": {
- "durationMs": 86400000
+ {
+ "id": "910b02fc-54d3-462a-a27b-dc5bdf2c3302",
+ "cellValue": "rankingTab",
+ "linkTarget": "parameter",
+ "linkLabel": "Hosts",
+ "subTarget": "Hosts",
+ "style": "link"
}
- },
- {
- "id": "774bfc35-07c1-4680-b305-a65606439a53",
- "version": "KqlParameterItem/1.0",
- "name": "Owner",
- "type": 2,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "SecurityIncident\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| where isnotempty(Owner.assignedTo) \r\n| distinct tostring(Owner.assignedTo)\r\n",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All"
- },
- "timeContext": {
- "durationMs": 5184000000
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
- },
- "name": "parameters - 14"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let GetUserAlert = SecurityAlert\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(TimeGenerated,*) by SystemAlertId\r\n| where Entities contains \"account\"\r\n| extend SelectedAccountUPN = tolower(tostring('{SelectedUser}')),\r\n SelectedName = tolower(tostring('{UserName}')),\r\n SelectAAD = tolower(tostring('{UserObjectId}')),\r\n SelectSID = tolower(tostring('{UserSid}'))\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]) , Host = tostring(Entities[\"Host\"])\r\n| extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| where (Name == SelectedName and SelectedName != \"\" ) or (UPN == SelectedAccountUPN and SelectedAccountUPN != \"\") or (AadUserId == SelectAAD and SelectAAD != \"\") or (Sid == SelectSID and SelectSID != \"\")\r\n| serialize Id = tostring(row_number())\r\n| project TimeGenerated, Title=DisplayName, Sid,Severity=AlertSeverity, Description, ProviderName, ProductName, SystemAlertId, Id;\r\nlet MapAlertsToIncidents = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| serialize Id = tostring(IncidentNumber)\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind=innerunique (GetUserAlert) on $left.AlertId == $right.SystemAlertId\r\n| project TimeGenerated=TimeGenerated1, Title=Title1, Severity=Severity1,Description=Description1, ProviderName, ProductName, SystemAlertId,Id=Id1,ParentId=Id, IncidentNumber;\r\nlet IncidentAlertsCount = MapAlertsToIncidents\r\n| summarize AlertCount=count() by IncidentNumber\r\n| join kind=innerunique (SecurityIncident \r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n) on $left.IncidentNumber == $right.IncidentNumber\r\n| extend SecOpsOwner = Owner.assignedTo\r\n| project TimeGenerated, Title,Severity,Description,AlertCount,Status,Owner=SecOpsOwner,BookmarkIds,Comments,Labels,IncidentUrl,Id=tostring(IncidentNumber),ParentId=\"root\";\r\nlet IncidentsAndAlertsForUser = MapAlertsToIncidents \r\n| union IncidentAlertsCount;\r\nIncidentsAndAlertsForUser\r\n| where (Severity == {Severity:value} or {Severity:value} == 'All') and (Status == {Status:value} or {Status:value} == 'All') and (Owner == {Owner:value} or {Owner:value} == 'All')\r\n| sort by AlertCount desc\r\n| project TimeGenerated, Title, AlertCount, Description, Severity, Status, Owner, BookmarkIds, Comments, Labels, IncidentUrl, Id, ParentId\r\n\r\n\r\n\r\n",
- "size": 1,
- "showAnalytics": true,
- "noDataMessage": "No incidents associated with this user",
- "noDataMessageStyle": 3,
- "timeContext": {
- "durationMs": 2419200000
+ ]
},
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "grayBlue"
- }
+ "name": "RankingTabParameterDefinition"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top users to investigate - by Incidents, alerts & anomalies"
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ },
+ "name": "UserGroupTopIncidents - Title Text"
},
{
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
+ "type": 1,
+ "content": {
+ "json": "Click on a user from the list below to view incidents and anomalies where the user is present",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ },
+ {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ }
+ ],
+ "name": "UserGroupTopIncidents - Intro Text "
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let TopUsersByAnomalies = Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| project AadUserId=tostring(Entities.AadUserId), DisplayName=tostring(Entities.DisplayName), OriginalName=tostring(Entities.Name), AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix), OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by AadUserId, DisplayName, Name, AnomalyUPNSuffix, UPNSuffix;\r\nlet TopUsers = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| project SystemAlertId, OriginalName = tostring(tolower(Entities.Name)), OriginalUPNSuffix = tostring(Entities.UPNSuffix), AadUserId = tostring(Entities.AadUserId)\r\n | extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName, OriginalUPNSuffix\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopUsersByAnomalies\r\n| summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount), AadUserId = make_set_if(AadUserId, AadUserId != \"\") by Name, UPNSuffix;\r\nTopUsers\r\n| sort by IncidentCount, AlertCount, AnomalyCount desc",
+ "size": 0,
+ "title": "Top users by incidents, alerts and anomalies",
+ "timeContextFromParameter": "TimeRange",
+ "exportedParameters": [
{
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "fieldName": "Name",
+ "parameterName": "UserName",
+ "parameterType": 1
},
{
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "fieldName": "AadUserId",
+ "parameterName": "UserObjectId",
+ "parameterType": 1
},
{
- "operator": "==",
- "thresholdValue": "High",
- "representation": "redBright",
- "text": "{0}{1}"
+ "fieldName": "UPNSuffix",
+ "parameterName": "UserUPN",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AadUserId",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ }
+ }
+ ],
+ "rowLimit": 1000,
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AnomalyCount_4",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AnomalyCount_4",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ },
+ "name": "UserGroupTopIncidents - Overview Query"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Select a user to view Incidents & Alerts & Anomalies breakdown",
+ "style": "upsell"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Select user text"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Incidents Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Incident"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb",
+ "version": "KqlParameterItem/1.0",
+ "name": "Severity",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
},
{
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
+ "id": "994e7321-0462-4367-aae3-a69c6d61bf26",
+ "version": "KqlParameterItem/1.0",
+ "name": "Status",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"New\",\"Active\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Parameter Incident Selection"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let IncidentUser = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| project SystemAlertId, OriginalName = tostring(tolower(Entities.Name)), OriginalUPNSuffix = tostring(Entities.UPNSuffix), AadUserId = tostring(Entities.AadUserId)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| project-away OriginalName, OriginalUPNSuffix\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (Name == '{UserName}' and Name != \"\" and UPNSuffix == '{UserUPN}') or (AadUserId == '{UserObjectId}')\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentUser\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber",
+ "size": 0,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Informational",
+ "representation": "gray",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "lightBlue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Status",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "New",
+ "representation": "2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Active",
+ "representation": "pending",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Closed",
+ "representation": "stopped",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Owner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkIsContextBlade": false
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "palette": "orangeDark"
+ }
+ },
+ {
+ "columnMatch": "Comments",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "Labels",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 1
}
]
- }
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - User Incident Close Up"
},
{
- "columnMatch": "Id",
- "formatter": 5
+ "type": 1,
+ "content": {
+ "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Anomaly"
},
{
- "columnMatch": "Comments",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "CellDetails",
- "linkIsContextBlade": true
- }
+ "type": 1,
+ "content": {
+ "json": "Select an anomaly to view all the related details below",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ }
+ ],
+ "name": "Anomalies help"
},
{
- "columnMatch": "Labels",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "CellDetails",
- "linkIsContextBlade": true
- }
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| extend AadUserId=tostring(Entities.AadUserId), DisplayName=tostring(Entities.DisplayName), OriginalName=tostring(Entities.Name), AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix), OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| where (Name == '{UserName}' and Name != \"\" and UPNSuffix == '{UserUPN}') or (AadUserId == '{UserObjectId}')\r\n| project TimeGenerated, AnomalyRule=AnomalyTemplateName, Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyReasons, AnomalyDetails, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n",
+ "size": 1,
+ "noDataMessage": "No anomalies associated with this user",
+ "timeContextFromParameter": "TimeRange",
+ "exportedParameters": [
+ {
+ "fieldName": "AnomalyReasons",
+ "parameterName": "AnomalyReasons",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "AnomalyDetails",
+ "parameterName": "AnomalyDetails",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "ActivityInsights",
+ "parameterName": "ActivityInsights",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "ExtendedProperties",
+ "parameterName": "ExtendedProperties",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "DeviceInsights",
+ "parameterName": "DeviceInsights",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "UserInsights",
+ "parameterName": "UserInsights",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "ExtendedLinks",
+ "parameterName": "ExtendedLinks",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Description",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "Score",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "max": 1,
+ "palette": "purpleDark"
+ }
+ },
+ {
+ "columnMatch": "RuleStatus",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "Techniques",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "AnomalyDetails",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly."
+ }
+ },
+ {
+ "columnMatch": "AnomalyReasons",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "The detailed explanation of the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "ExtendedProperties",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object with additional data on the anomaly as key-value pairs."
+ }
+ },
+ {
+ "columnMatch": "ActivityInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "DeviceInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "UserInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the users corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "ExtendedLinks",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "List of links pointing to the data that generated the anomaly."
+ }
+ },
+ {
+ "columnMatch": "TenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Id",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "WorkspaceId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "VendorName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleConfigVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "StartTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "EndTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DisplayName",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "OriginalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "OriginalUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Name",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UPNSuffix",
+ "formatter": 5
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - User Anomaly Close Up "
},
{
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url"
- }
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}",
+ "size": 4,
+ "title": "User Anomalies - AnomalyReasons",
+ "queryType": 8,
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Value",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IsAnomalous",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "Yes"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "No"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "TypicalObservations",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Anomalous?",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "customWidth": "50",
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ },
+ "name": "User Anomalies - AnomalyReasons"
},
{
- "columnMatch": "ParentId",
- "formatter": 5
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}",
+ "size": 4,
+ "title": "User anomalies - DeviceInsights",
+ "noDataMessage": "None available",
+ "queryType": 8
+ },
+ "customWidth": "50",
+ "name": "User anomalies - DeviceInsights"
}
- ],
- "rowLimit": 500,
- "filter": true,
- "hierarchySettings": {
- "idColumn": "Id",
- "parentColumn": "ParentId",
- "treeType": 0,
- "expanderColumn": "Title"
- }
+ ]
},
- "sortBy": []
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
- },
- "name": "query - 6 - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "## Anomalies Breakdown: [{SelectedUser}]()\r\n---\r\n"
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Users"
+ },
+ "name": "UserGroupTopIncidents"
},
- "name": "text - 4 - Copy"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "98f0e009-27e3-451d-a105-5c40bc269c52",
- "version": "KqlParameterItem/1.0",
- "name": "AnomalyName",
- "label": " Anoamly Name",
- "type": 2,
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All"
- },
- "jsonData": "[\"Anomalous Account Creation\",\r\n\"Anomalous Account Manipulation\",\r\n\"Anomalous Failed Logon\",\r\n\"Anomalous Geo Location Logon\",\r\n\"Anomalous Login to Devices\",\r\n\"Anomalous Password Reset\",\r\n\"Anomalous RDP Activity\",\r\n\"Anomalous Resource Access\",\r\n\"Anomalous Role Assignment\",\r\n\"Anomalous Sign-in Activity\"\r\n]",
- "timeContext": {
- "durationMs": 1209600000
- },
- "timeContextFromParameter": "TimeRange"
- },
- {
- "id": "d3c089ab-a356-40e6-af42-d33759981503",
- "version": "KqlParameterItem/1.0",
- "name": "Tactic",
- "type": 2,
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top hosts to investigate - by Incidents, alerts & anomalies\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ "name": "UserGroupTopIncidents - Title Text"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Clicking on an entity should load anomalies and incidents where the entity is present",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ {
+ "parameterName": "help",
+ "comparison": "isEqualTo",
+ "value": "yes"
+ }
],
- "selectAllValue": "All"
- },
- "jsonData": "[\"Initial Access\",\"Execution\",\"Persistence\",\"Privilege Escalation\",\"Defense Evasion\",\"Credential Access\",\"Discovery\",\"Lateral Movement\",\"Collection\", \"Command and Control\", \"Exfiltration\",\"Impact\"]\r\n\r\n\r\n",
- "timeContext": {
- "durationMs": 1209600000
- },
- "timeContextFromParameter": "TimeRange"
- },
- {
- "id": "f84c4293-3f2b-44aa-9b0e-402d449e8b6c",
- "version": "KqlParameterItem/1.0",
- "name": "AnomalyScore",
- "label": "Anomaly Score",
- "type": 2,
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
+ "name": "UserGroupTopIncidents - Intro Text"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Currently there is no mapping for hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nlet TopHostsByAnomalies =\r\nAnomalies\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| extend DeviceRegex = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n| extend DeviceName = tolower(DeviceRegex)\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by DeviceName;\r\nlet TopHostsIncidents = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"host\"\r\n| project SystemAlertId, DeviceName = tostring(tolower(Entities.HostName))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopHostsByAnomalies\r\n| summarize IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount) by DeviceName;\r\nTopHostsIncidents\r\n| where isnotempty(DeviceName)\r\n| sort by IncidentCount, AlertCount, AnomalyCount, DeviceName desc",
+ "size": 0,
+ "title": "Top hosts by incidents, alerts and anomalies",
+ "timeContextFromParameter": "TimeRange",
+ "exportFieldName": "DeviceName",
+ "exportParameterName": "Host",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AadUserId",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ }
+ }
+ ],
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AnomalyCount_3",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AnomalyCount_3",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ "name": "HostsGroupTopIncidents - Overview Query"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Select a host to view Incidents & Alerts & Anomalies breakdown",
+ "style": "upsell"
+ },
+ "conditionalVisibility": {
+ "parameterName": "Host",
+ "comparison": "isEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Select user text"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Incidents Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Incident"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb",
+ "version": "KqlParameterItem/1.0",
+ "name": "Severity",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
+ },
+ {
+ "id": "994e7321-0462-4367-aae3-a69c6d61bf26",
+ "version": "KqlParameterItem/1.0",
+ "name": "Status",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"New\",\"Active\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Parameter Incident Selection"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let IncidentswithHosts = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"host\"\r\n| project SystemAlertId, HostEntity = tostring(tolower(Entities.HostName))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (HostEntity == '{Host}' and HostEntity != \"\")\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentswithHosts\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber",
+ "size": 0,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Informational",
+ "representation": "gray",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "lightBlue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Status",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "New",
+ "representation": "2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Active",
+ "representation": "pending",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Closed",
+ "representation": "stopped",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Owner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkIsContextBlade": false
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "palette": "orangeDark"
+ }
+ },
+ {
+ "columnMatch": "Comments",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "Labels",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_8",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_8",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "Host",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "HostTopIncidents - Host Incident Close Up"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Anomaly"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Currently, hosts are not mapped as entities in anomalies. In this workbook, they are being extracted from the Anomaly description.",
+ "style": "warning"
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ "name": "Host anomalies warning"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Hover over each field on the anomalies below to see what it means",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ }
],
- "selectAllValue": "All"
- },
- "jsonData": "[\"0\",\"1\",\"2\",\"3\",\"4\",\"5\",\"6\",\"7\",\"8\",\"9\",\"10\"]",
- "timeContext": {
- "durationMs": 7776000000
- },
- "timeContextFromParameter": "TimeRange"
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
- },
- "name": "parameters - 15"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\n\r\n\r\nlet GetUserAnomalies = AnomalyTable\r\n| extend SelectedAccountUPN = tolower(tostring('{SelectedUser}')),\r\n SelectedName = tolower(tostring('{UserName}')),\r\n SelectAAD = tolower(tostring('{UserObjectId}')),\r\n SelectSID = tolower(tostring('{UserSid}'))\r\n| where (tolower(UserName) == tolower(SelectedName) and SelectedName != \"\" ) or (tolower(UserPrincipalName) == tolower(SelectedAccountUPN) and SelectedAccountUPN != \"\") or (UsersInsights.AccountObjectId == SelectAAD and SelectAAD != \"\") or (UsersInsights.OnPremSid == SelectSID and SelectSID != \"\")\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, TargetUser,Evidence ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"], AccountObjectId=UsersInsights.AccountObjectId;\r\nGetUserAnomalies\r\n| where \"{AnomalyName:label}\" == 'All' or AnomalyName in ({AnomalyName})\r\n| where \"{Tactic:label}\" == 'All' or Tactic in ({Tactic})\r\n| where \"{AnomalyScore:label}\" == 'All' or [\"Anomaly Score\"] in ({AnomalyScore})\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
- "size": 1,
- "showAnalytics": true,
- "noDataMessage": "No anomalies associated with this user",
- "noDataMessageStyle": 3,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportFieldName": "Tactic",
- "exportParameterName": "TacticM",
- "exportDefaultValue": "None",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Description",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "CellDetails",
- "linkIsContextBlade": true
- }
+ "name": "Host anomalies help"
},
{
- "columnMatch": "Id",
- "formatter": 5
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Currently there is no mapping for hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nAnomalies\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| extend DeviceName = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n| project TimeGenerated, Anomaly=Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyDetails, AnomalyReasons, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n",
+ "size": 1,
+ "noDataMessage": "No anomalies associated with this host",
+ "timeContextFromParameter": "TimeRange",
+ "exportedParameters": [
+ {
+ "fieldName": "AnomalyReasons",
+ "parameterName": "AnomalyReasons",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "DeviceInsights",
+ "parameterName": "DeviceInsights",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Score",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "max": 1,
+ "palette": "purpleDark"
+ }
+ },
+ {
+ "columnMatch": "Techniques",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "AnomalyDetails",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly."
+ }
+ },
+ {
+ "columnMatch": "AnomalyReasons",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "The detailed explanation of the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "ExtendedProperties",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object with additional data on the anomaly as key-value pairs."
+ }
+ },
+ {
+ "columnMatch": "ExtendedLinks",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "List of links pointing to the data that generated the anomaly."
+ }
+ },
+ {
+ "columnMatch": "ActivityInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "DeviceInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "UserInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the users corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "TenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Id",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "WorkspaceId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "VendorName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleConfigVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Description",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "StartTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "EndTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DisplayName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "OriginalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "OriginalUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Name",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UPNSuffix",
+ "formatter": 5
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - User Anomaly Close Up "
},
{
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url"
- }
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}",
+ "size": 4,
+ "title": "Host Anomalies - AnomalyReasons",
+ "queryType": 8,
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Value",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IsAnomalous",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "Yes"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "No"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "TypicalObservations",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Anomalous?",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "customWidth": "50",
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ "name": "Host Anomalies - AnomalyReasons"
},
{
- "columnMatch": "ParentId",
- "formatter": 5
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}",
+ "size": 4,
+ "title": "Host anomalies - DeviceInsights",
+ "noDataMessage": "None available",
+ "queryType": 8
+ },
+ "customWidth": "50",
+ "name": "Host anomalies - DeviceInsights"
}
- ],
- "filter": true
+ ]
},
- "sortBy": []
- },
- "conditionalVisibility": {
- "parameterName": "UserName",
- "comparison": "isNotEqualTo",
- "value": "None"
- },
- "customWidth": "70",
- "name": "query - 6 - Copy - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "### Lateral Movement\r\n\r\nThe adversary is trying to move through your environment.\r\n\r\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0008/)"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "Lateral Movement"
- },
- "customWidth": "30",
- "name": "text - 13 - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "### Mitre Tactic Information\r\nClick on one of the anomalies to presents an overview of ATT&CK\r\n"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "None"
- },
- "customWidth": "30",
- "name": "text - 13 - Copy - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "### Initial Access\r\n\r\nThe adversary is trying to get into your network.\r\n\r\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0001/)"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "Initial Access"
- },
- "customWidth": "30",
- "name": "text - 13"
- },
- {
- "type": 1,
- "content": {
- "json": "### Persistence\r\n\r\nThe adversary is trying to maintain their foothold.\r\n\r\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0003/)"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "Persistence"
- },
- "customWidth": "30",
- "name": "text - 13 - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "### Discovery\r\n\r\nThe adversary is trying to figure out your environment.\r\n\r\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0007/)"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "Discovery"
- },
- "customWidth": "30",
- "name": "text - 13 - Copy - Copy - Copy - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "### Collection\r\n\r\nThe adversary is trying to gather data of interest to their goal.\r\n\r\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0009/)"
- },
- "conditionalVisibility": {
- "parameterName": "TacticM",
- "comparison": "isEqualTo",
- "value": "Collection"
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "Hosts"
+ },
+ "name": "HostsGroupTopIncidents"
},
- "customWidth": "30",
- "name": "text - 13 - Copy - Copy"
- }
- ],
- "fromTemplateId": "sentinel-UserAndEntityBehaviorAnalytics",
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top IPs to investigate - by Incidents, alerts & anomalies\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ },
+ "name": "IPGroupTopIncidents - Title Text"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Clicking on an entity should load anomalies and incidents where the entity is present",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ },
+ {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ }
+ ],
+ "name": "IPGroupTopIncidents - Intro Text"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let TopIPsByAnomalies= Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| project IPentity=tostring(Entities.Address)\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by IPentity;\r\nlet TopIPs = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind = innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"ip\"\r\n| project SystemAlertId, IPentity = tostring(tolower(Entities.Address))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopIPsByAnomalies\r\n| summarize IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount) by IPentity;\r\nTopIPs\r\n| sort by IncidentCount, AlertCount, AnomalyCount, IPentity desc",
+ "size": 0,
+ "title": "Top IPs by incidents, alerts and anomalies",
+ "timeContextFromParameter": "TimeRange",
+ "exportFieldName": "IPentity",
+ "exportParameterName": "IP",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "palette": "redDark"
+ }
+ },
+ {
+ "columnMatch": "AadUserId",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ }
+ }
+ ],
+ "rowLimit": 1000,
+ "filter": true
+ },
+ "sortBy": []
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ },
+ "name": "IPGroupTopIncidents - Overview Query"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Select an IP to view Incidents & Alerts & Anomalies breakdown",
+ "style": "upsell"
+ },
+ "conditionalVisibility": {
+ "parameterName": "IP",
+ "comparison": "isEqualTo",
+ "value": "None"
+ },
+ "name": "IPGroupTopIncidents - Select IP text"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Incidents Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Incident"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb",
+ "version": "KqlParameterItem/1.0",
+ "name": "Severity",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
+ },
+ {
+ "id": "994e7321-0462-4367-aae3-a69c6d61bf26",
+ "version": "KqlParameterItem/1.0",
+ "name": "Status",
+ "type": 2,
+ "isRequired": true,
+ "typeSettings": {
+ "additionalResourceOptions": [],
+ "showDefault": false
+ },
+ "jsonData": "[\"New\",\"Active\", \"All\"]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "All"
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Parameter Incident Selection"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let IncidentIP = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"ip\"\r\n| project SystemAlertId, IPEntity = tostring(tolower(Entities.Address))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (IPEntity == '{IP}' and IPEntity != \"\")\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentIP\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber",
+ "size": 0,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Informational",
+ "representation": "gray",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "lightBlue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Status",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "New",
+ "representation": "2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Active",
+ "representation": "pending",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Closed",
+ "representation": "stopped",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Owner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkIsContextBlade": false
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "palette": "orangeDark"
+ }
+ },
+ {
+ "columnMatch": "Comments",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "Labels",
+ "formatter": 7,
+ "formatOptions": {
+ "linkIsContextBlade": true
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_8",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_8",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - User Incident Close Up"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n"
+ },
+ "conditionalVisibility": {
+ "parameterName": "UserName",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - Selected User Text Anomaly"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Hover over each field on the anomalies below to see what it means",
+ "style": "info"
+ },
+ "conditionalVisibilities": [
+ {
+ "parameterName": "Help",
+ "comparison": "isEqualTo",
+ "value": "Yes"
+ },
+ {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ }
+ ],
+ "name": "IP anomalies help"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| extend IPentity=tostring(Entities.Address)\r\n| where (IPentity == '{IP}' and IPentity != \"\" )\r\n| project TimeGenerated, AnomalyRule=AnomalyTemplateName, Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyDetails, AnomalyReasons, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n",
+ "size": 1,
+ "noDataMessage": "No anomalies associated with this IP",
+ "timeContextFromParameter": "TimeRange",
+ "exportedParameters": [
+ {
+ "fieldName": "AnomalyReasons",
+ "parameterName": "AnomalyReasons",
+ "parameterType": 1
+ },
+ {
+ "fieldName": "DeviceInsights",
+ "parameterName": "DeviceInsights",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Score",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 0,
+ "max": 1,
+ "palette": "purpleDark"
+ }
+ },
+ {
+ "columnMatch": "Techniques",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "AnomalyDetails",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly."
+ }
+ },
+ {
+ "columnMatch": "AnomalyReasons",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "The detailed explanation of the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "ExtendedProperties",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "JSON object with additional data on the anomaly as key-value pairs."
+ }
+ },
+ {
+ "columnMatch": "ExtendedLinks",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "List of links pointing to the data that generated the anomaly."
+ }
+ },
+ {
+ "columnMatch": "ActivityInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "DeviceInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "UserInsights",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "None available"
+ },
+ "tooltipFormat": {
+ "tooltip": "Insights about the users corresponding to the generated anomaly as JSON."
+ }
+ },
+ {
+ "columnMatch": "TenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Id",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "WorkspaceId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "VendorName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyTemplateVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "RuleConfigVersion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Description",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "CellDetails",
+ "linkIsContextBlade": true
+ }
+ },
+ {
+ "columnMatch": "StartTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "EndTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationIpAddress",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationLocation",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DestinationDevice",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DisplayName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "OriginalName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomalyUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "OriginalUPNSuffix",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Name",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UPNSuffix",
+ "formatter": 5
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "IP",
+ "comparison": "isNotEqualTo",
+ "value": "None"
+ },
+ "name": "UserGroupTopIncidents - User Anomaly Close Up "
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}",
+ "size": 4,
+ "title": "IP Anomalies - AnomalyReasons",
+ "queryType": 8,
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Value",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "Type",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "IsAnomalous",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "Yes"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "No"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "TypicalObservations",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Anomalous?",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "True",
+ "representation": "3",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "Name",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "customWidth": "50",
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ },
+ "name": "User Anomalies - AnomalyReasons"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}",
+ "size": 4,
+ "title": "User anomalies - DeviceInsights",
+ "noDataMessage": "None available",
+ "queryType": 8
+ },
+ "customWidth": "50",
+ "name": "IP anomalies - DeviceInsights"
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "rankingTab",
+ "comparison": "isEqualTo",
+ "value": "IPs"
+ },
+ "name": "UserGroupTopIncidentsIP "
+ }
+ ],
+ "fromTemplateId": "https://sentinelus.hosting.portal.azure.net/sentinelus/Content/1.0.02484.3403-231021-003920/Scenarios/Ecosystem/Content/Workbooks/CustomWorkbook.json",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+ }
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index b3554ad9ce..27737909a3 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -1810,14 +1810,14 @@
"logoFileName": "Azure_Sentinel.svg",
"description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns",
"dataTypesDependencies": [
- "BehaviorAnalytics"
+ "Anomalies"
],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [
- "UserEntityBehaviorAnalyticsBlack1.png",
- "UserEntityBehaviorAnalyticsWhite1.png"
+ "UserEntityBehaviorAnalyticsBlack2.png",
+ "UserEntityBehaviorAnalyticsWhite2.png"
],
- "version": "1.2.0",
+ "version": "2.0",
"title": "User And Entity Behavior Analytics",
"templateRelativePath": "UserEntityBehaviorAnalytics.json",
"subtitle": "",
@@ -2283,7 +2283,7 @@
],
"version": "1.0.0",
"title": "Forcepoint Cloud Security Gateway Workbook",
- "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
+ "templateRelativePath": "ForcepointCloudSecuirtyGateway.json",
"subtitle": "",
"provider": "Forcepoint"
},