Merge branch 'Azure:master' into master

sivanguetta · May 24, 2022 · 93a131e · 93a131e
2 parents 4e1e2c7 + e79c8b9
commit 93a131e
Show file tree

Hide file tree

Showing 234 changed files with 22,509 additions and 15,418 deletions.
diff --git a/ASIM/ASimFullDeployment.json b/ASIM/ASimFullDeployment.json
@@ -92,7 +92,7 @@
                     "Workspace": {
                         "value": "[parameters('Workspace')]"
                     },
-                    "Workspace Region": {
+                    "WorkspaceRegion": {
                         "value": "[parameters('WorkspaceRegion')]"
                     }
                 }

diff --git a/ASIM/README.md b/ASIM/README.md
@@ -22,7 +22,7 @@ To deploy a single schema use the buttons below:
 | [Network Session](https://aka.ms/ASimNetworkSessionDoc) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimNetworkSessionARM)| [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimNetworkSessionARMgov) |
 | [Web Session](https://aka.ms/ASimWebSessionDoc) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimWebSessionARM)| [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimWebSessionARMgov)|
 | [Process Event](https://aka.ms/ASimProcessEventDoc) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimProcessEventARM)| [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimProcessEventARMgov) |
-| [Registry](https://aka.ms/ASimRegistryEventDoc) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimSentinelEventARM)| [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimRegistryEventARMgov) |
+| [Registry](https://aka.ms/ASimRegistryEventDoc) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimRegistryEventARM)| [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimRegistryEventARMgov) |
 
 
 

diff --git a/DataConnectors/AIVectraDetect.json b/DataConnectors/AIVectraDetect.json
diff --git a/...kAudit/Data Connectors/alcide_kaudit.json → DataConnectors/alcide_kaudit.json b/...kAudit/Data Connectors/alcide_kaudit.json → DataConnectors/alcide_kaudit.json
@@ -1,6 +1,6 @@
 {
-  "id": "AlcideKAudit",
-  "title": "Alcide kAudit",
+  "id": "Alcide_kAudit",
+  "title": "Alcide kAudit (Preview)",
   "publisher": "Alcide",
   "descriptionMarkdown": "Alcide kAudit connector allows you to automatically export your Kubernetes cluster audit logs into Azure Sentinel in real-time. This enables enhanced visibility and observability into your Kubernetes audit logs, providing robust security and monitoring capabilities for forensics purposes.",
   "graphQueries": [
@@ -52,7 +52,7 @@
   ],
   "availability": {
       "status": 1,
-      "isPreview": false
+      "isPreview": true 
   },
   "permissions": {
       "resourceProvider": [

diff --git a/DataConnectors/illusive Attack Management System.json b/DataConnectors/illusive Attack Management System.json
diff --git a/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml b/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml
@@ -33,7 +33,11 @@ query: |
   | where DeviceVendor == "Vectra Networks"
   | where DeviceProduct == "X Series"
   | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
-  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | extend Category = coalesce(
+                            column_ifexists("DeviceEventCategory", ""), 
+                            extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
+                            ""
+                        )
   | project-rename threat_score = FlexNumber1
   | project-rename certainty_score = FlexNumber2
   | project-rename vectra_URL = DeviceCustomString4
@@ -77,5 +81,5 @@ alertDetailsOverride:
   alertDescriptionFormat: Malicious behavior {{Activity}} has been detected for entity {{source_entity}}. Pivot to Detect UI with {{vectra_URL}}
   alertTacticsColumnName: Tactic
   alertSeverityColumnName: Severity
-version: 1.0.1
-kind: scheduled
+version: 1.0.2
+kind: scheduled
diff --git a/Detections/VectraAI/VectraDetect-NewCampaign.yaml b/Detections/VectraAI/VectraDetect-NewCampaign.yaml
@@ -21,7 +21,11 @@ query: |
   | where DeviceProduct == "X Series"
   | where DeviceEventClassID contains "campaign"
   | where DeviceAction == "START"
-  | extend reason = extract("reason=(.+?)$", 1, AdditionalExtensions)
+  | extend reason = coalesce(
+                            column_ifexists("Reason", ""), 
+                            extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
+                            ""
+                        )
   | project-rename vectra_URL = DeviceCustomString4
   | project Activity,SourceHostName, reason, vectra_URL
   | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL
@@ -34,5 +38,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: URLCustomEntity
-version: 1.1.0
+version: 1.1.1
 kind: scheduled
diff --git a/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml b/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml
@@ -28,7 +28,11 @@ query: |
   | where DeviceVendor == "Vectra Networks"
   | where DeviceProduct == "X Series"
   | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
-  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | extend Category = coalesce(
+                            column_ifexists("DeviceEventCategory", ""), 
+                            extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
+                            ""
+                        )
   | project-rename threat_score = FlexNumber1
   | project-rename certainty_score = FlexNumber2
   | project-rename triaged = DeviceCustomString5
@@ -81,5 +85,5 @@ alertDetailsOverride:
   alertDescriptionFormat: Malicious behavior {{Activity}} has been detected for {{source_entity}}. Pivot to the detection in Detect UI with {{vectra_URL}}
   alertTacticsColumnName: Tactic
   alertSeverityColumnName: Severity
-version: 1.0.2
-kind: scheduled
+version: 1.0.3
+kind: scheduled
diff --git a/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml b/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml
@@ -4,9 +4,6 @@ description: |
   'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.'
 severity: Low 
 requiredDataConnectors: 
-  - connectorId: WindowsSecurityEvents
-    dataTypes: 
-      - SecurityEvents 
   - connectorId: WindowsForwardedEvents
     dataTypes: 
       - WindowsEvent 
@@ -61,5 +58,5 @@ entityMappings:
         columnName: FileHashAlgo
       - identifier: Value
         columnName: FileHashCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml b/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml
@@ -4,9 +4,6 @@ description: |
   'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM'
 severity: High 
 requiredDataConnectors: 
-  - connectorId: WindowsSecurityEvents
-    dataTypes:
-      - SecurityEvents    
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -69,5 +66,5 @@ entityMappings:
         columnName: AlgorithmCustomEntity
       - identifier: Value
         columnName: FileHashCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
+kind: Scheduled
diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml
@@ -3,7 +3,7 @@ name: Account Added to Privileged PIM Group
 description: |
   'Identifies accounts that have been added to a PIM managed privileged group'
 requiredDataConnectors:
-  - connectorId: Azure Active Directory
+  - connectorId: AzureActiveDirectory
     dataTypes:
       - AuditLogs
 tactics:
@@ -21,16 +21,15 @@ query: |
   | extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
   | extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
   | extend Initiatedby = Identity
-  | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
+  | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResultReason, ResourceId, Id
   | sort by TimeGenerated desc
+  | extend timestamp = TimeGenerated, AccountCustomEntity = TargetAccount, ResourceCustomEntity = ResourceId
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: FullName
-        columnName: Initiatedby
       - identifier: FullName
         columnName: TargetAccount
-  - entityType: Azure resource
+  - entityType: AzureResource
     fieldMappings:
       - identifier: ResourceId
         columnName: ResourceId
diff --git a/Hunting Queries/AzureActivity/Common_Deployed_Resources.yaml b/Hunting Queries/AzureActivity/Common_Deployed_Resources.yaml
@@ -18,11 +18,20 @@ query: |
   AzureActivity
   | where OperationNameValue has_any (@"deployments/write", @"virtualMachines/write")  
   | where ActivityStatusValue == "Succeeded"
-  | summarize by bin(TimeGenerated,1h), Resource, ResourceGroup, OperationNameValue, Caller
+  | summarize by bin(TimeGenerated,1d), Resource, ResourceGroup, ResourceId, OperationNameValue, Caller
   | evaluate basket()
   | where isnotempty(Caller) and isnotempty(Resource) and isnotempty(TimeGenerated)
   | order by Percent desc, TimeGenerated desc
-  | extend timestamp = TimeGenerated
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, ResourceCustomEntity = ResourceId
   // remove comments below on filters if the goal is to see more common or more rare Resource, Resource Group and Caller combinations
   //| where Percent <= 40 // <-- more rare
   //| where Percent >= 60 // <-- more common
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: Caller
+  - entityType: AzureResource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml
@@ -1,22 +1,30 @@
 id: 8741deeb-332e-4061-8873-5086040920e3
 name: Anomalous AAD Account Manipulation
 description: |
-  'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy deviates from the user, his peers or the tenant profile.'
+  'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. 
+   Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an 
+   output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy 
+   deviates from the user, his peers or the tenant profile.'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
       - BehaviorAnalytics
+  - connectorId: AzureActiveDirectory
+    dataTypes:
       - AuditLogs
 tactics:
   - Persistence
 relevantTechniques:
   - T1098
 query: |
 
- //Critical Roles: can impersonate  any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
- //High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
- let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
- let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
+ //Critical Roles can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
+ //High Roles are Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
+ let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10',
+ 'd29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
+ let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070',
+ '7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45',
+ '7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
  AuditLogs
  | where OperationName == "Update user"
  | mv-expand AdditionalDetails
@@ -32,7 +40,19 @@ query: |
  | join kind=inner ( BehaviorAnalytics
  ) on $left._ItemId == $right.SourceRecordId
  | where UsersInsights.BlastRadius == "High" or ActivityInsights has "True"
- |  extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
- UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName) 
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName), UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName) 
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: AzureResource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous Account Creation.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous Account Creation.yaml
@@ -6,7 +6,9 @@ requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
        - BehaviorAnalytics
-       - AuditLogs
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
 tactics:
   - Persistence
 relevantTechniques:
@@ -25,5 +27,18 @@ query: |
  UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
  UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
  | sort by TimeGenerated desc	
- | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
- | extend timestamp = TimeGenerated
+ | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
+ | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+  - entityType: AzureResource
+    fieldMappings:
+      - identifier: ResourceId
+        columnName: ResourceId
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous Activity Role Assignment.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous Activity Role Assignment.yaml
@@ -17,5 +17,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights contains "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous Code Execution.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous Code Execution.yaml
@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous Data Access.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous Data Access.yaml
@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
diff --git a/Hunting Queries/BehaviorAnalytics/Anomalous Defensive Mechanism Modification.yaml b/Hunting Queries/BehaviorAnalytics/Anomalous Defensive Mechanism Modification.yaml
@@ -15,5 +15,14 @@ query: |
     BehaviorAnalytics
     | where ActionType in(operations)
     | where ActivityInsights has "True"
-    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
-    | extend timestamp = TimeGenerated
+    | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
+    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress